GDPR and CCPA: The right to access
23 januari 2020 
in Privacy

GDPR and CCPA: The right to access

Privacy is a hot topic, and rightfully so. More and more data subjects invoke their right of access to check which of their personal data organizations process. We applaud this development. But what exactly does this mean for organizations? When an organization is not able to grant data subjects access within the limited timeframe the GDPR or the CCPA imposes, they are at risk. In this article we hope to present a clear-cut overview of your obligations towards your data subjects regarding the right of access under both legislations.   

Your Obligations 

Organizations that have access to, or work with, personal data are responsible for those data. This means you have certain obligations towards the persons of whom you process data. Data subjects can invoke the right of access to request insight into the personal data you process. When you receive such a request the GDPR obligates you to respond within one month. Practically, this means that you have one month to collect every record of personal data pertaining to this person and share this information with the data subject in question. Based on the information provided, the data subject could decide to invoke any of their other rights given by the GDPR, such as the right to rectification or the right to erasure. In this case, you may be required to delete all information about a person from your systems, if, for instance, you no longer have a lawful ground for processing.   


With the coming into force of the CCPA, California residents have been awarded a number of similar rights. Covered businesses will have to grant data subjects access to their own data upon request. Such organizations need to have a verification procedure in place and respond to such requests within 45 days. A right to erasure can also be found in the CCPA and consumers may not be discriminated against in terms of price or service for exercising their rights.  

Well Equipped 

Are your employees aware of the steps they need to take when you receive a request for access to personal data? Will they drop everything they are working on and run around the office opening cabinets and drawers to collect records of personal data? How about unstructured folders or email inboxes? And what does your verification process look like? When you have an overview of the different processes required to handle privacy requests, and have an overview of the actual personal data that is being processed in the form of an (obligatory) data register, you are better equipped to handle such requests. When you digitize the data register, for example in the Compliance Management Framework as supplied by Audittrail, this process becomes even more efficient. Using this type of tooling makes it significantly easier to respond to the request for access within the time-limit.   

Pragmatic Solution

Is your organization access-proof? Are you able to adequately respond to requests with the set timeframe? Audittrail has developed several products and services that can help you comply with the GDPR and the CCPA fast and efficiently. Our style of work is pragmatic: we aim to deliver solutions that are easy to implement and easy to work with. If our solution ends up in the bottom drawer and is not being used by your employees, we are not doing our job right. Interested in how our products and services can help your organization become compliant with GDPR, CCPA or other privacy or security laws and regulations? Fill in our contact form or send us a quick email. We are always up for a substantive discussion on your challenges, preferably over a hot cup of coffee.

About the author
Joyce is active at Audittrail as Director of Consultancy and senior privacy lawyer. Before Audittrail she held several positions, all in the (international) legal field. She mainly supports and advises companies on the implementation of privacy.
Place comment