TrustArc Individual Rights Manager
Data Subject Access Requests (DSAR)

Meet GDPR and CCPA privacy compliance requirements for DSAR and other consumer privacy rights.

The EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) significantly increase the requirements on how businesses address individual rights, also referred to as data subject rights or consumer privacy rights. These regulations also impose strict requirements on businesses regarding the type of data subject access requests (DSAR) they need to address and the timeline and process they need to follow to fulfill the requests.

TrustArc Individual Rights Manager

Individual Rights Manager Screenshot

Addressing individual rights will require knowing what data has been collected, determining which rights are being exercised and whether exceptions apply and having a solution in place to respond to requests.

TrustArc Individual Rights Manager is designed to help companies meet GDPR, CCPA and other compliance requirements, minimize risk and build trust with customers. The solution enables individuals to easily submit DSARs and companies to efficiently manage, evaluate and resolve requests within required timelines. In addition, companies can use the solution to maintain an audit trail that demonstrates accountability and regulatory compliance.

Individual Rights Manager Features

Proven Technology

TrustArc Individual Rights Manager uses proven methodology leveraging our 20 year history as one of world’s largest providers of consumer privacy dispute resolution services. That methodology was used to design a customizable solution that enables customers to easily submit requests and companies to efficiently manage, review and follow-up to meet GDPR and CCPA compliance requirements.

Proven Methodology - Individual Rights Manager

Request Intake

The TrustArc Button is deployed on applicable websites and prompts individuals to submit a request. Once the individual clicks through, a user-friendly form pops up, automating the process of collecting the correct information from each consumer and allowing them to easily submit a DSAR.

Request Intake - Individual Rights Manager

Identity Verification

Identity Verification allows companies to easily verify the identity of individuals submitting DSARs and ensures that the process moves forward only for valid individuals.

Identity Verification - Individual Rights Manager

Request Management Portal

Request management portal streamlines tracking, evaluating and following-up on DSARs; supports process completion within required timelines (i.e., for GDPR and CCPA compliance); and helps ensure that all DSARs are responded to in a timely manner.

Workflow Management - Individual Rights Manager

Compliance Reports

Compliance reports can be generated to support request management efforts and show progress toward resolving requests.

Compliance Reports - Individual Rights Manager

Data Mapping

Integration with TrustArc Data Inventory Hub allows a company to easily locate an individual’s data within systems, which speeds up response times.

Data Mapping - Individual Rights Manager

Individual Rights Consulting

TrustArc privacy experts can help develop an individual rights program process based upon analyzing a company’s business process flows. Implementing a customized compliance program will help make the process efficient, streamlined and sustainable.

Individual Rights Consulting - Individual Rights Manager

Privacy Dashboard

Monitor the status of privacy KPIs along with regulatory updates with the centralized, configurable dashboard.

Privacy Dashboard

End to End Privacy Management

Part of the TrustArc Platform which manages all phases of privacy compliance – assessments, data inventory & mapping, vendor risk, cookie consent, DSARs and much more.

TrustArc Platform

Individual Rights Manager Guide: Frequently Asked Questions

Below are answers to popular questions relating to individual rights, data subject rights and data subject access requests (DSARs).

What are individual rights/data subject rights?

Privacy laws such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) seek to protect the personal data and privacy of individuals (also referred to as data subjects or consumers). Both define individual rights or data subject rights that they protect.

What is the right to be forgotten?

The right of erasure or deletion, or the right to be forgotten, is one of the individual rights outlined in privacy laws like GDPR and CCPA. For example, under GDPR, individuals have the right to have their personal information erased/deleted and companies are obligated to do so when there is no legitimate reason for the company to keep the information. An individual may also request the removal of links by search engines where personal data is disclosed as part of the right to be forgotten.

What are data subject rights under GDPR?

The GDPR protects the personal data of individuals, which includes anyone physically residing in the EU, even if they are not EU citizens. GDPR Articles 12-23 provide the following protections for individual rights or data subject rights - the right to information, right to access, right to rectification or erasure, right to restrict processing, right to object and right to data portability.

What are the GDPR requirements related to data subject rights?

Under GDPR, companies must protect personal data of individuals and address data subject rights when they receive a data subject access request. GDPR imposes requirements on businesses regarding the type of DSARs they need to address and the timeline and process they need to follow to fulfill the requests. For example, GDPR requires that data subject access requests be addressed within one month (with some exceptions and extensions permitted). Companies must also verify the data subject/individual’s identity before turning over information to the individual.

What are data subject access requests (DSARs)?

Under GDPR and CCPA, individuals can make data subject access requests (DSARs) of any organization they believe is holding/processing their personal data. For example, the GDPR provides individuals the rights of access and data portability. Individuals have the right to request and receive confirmation from a business about whether personal data about them is being processed; and, if so, additional information, including the categories of personal information concerned; the recipients or categories of recipients with whom the information have or will be shared; and the purposes of processing.

What are individual rights under CCPA?

The CCPA, a bill passed by the state of California legislature on June 28, 2018 and slated to go into effect January 1, 2020, is the toughest privacy law in the U.S. CCPA expands the rights of consumers to have more control over their personal information and requires companies to be more transparent about how they use and disclose personal information. Referred to as individual rights or data subject rights in GDPR, these rights are referred to as consumer rights under CCPA. Individual rights under CCPA include: right to access, data portability, deletion, disclosures about sharing/sale and opt-in/opt-out.

What are the CCPA requirements related to individual rights?

The central purpose of the CCPA is to expand the rights of California residents relating to their control over personal information about them, and to require businesses to be more transparent about the ways in which they use residents’ personal information. Businesses’ (covered by the CCPA) obligations related to individual rights include:

  • Access: Individuals may request disclosure of the specific data elements of personal information collected about them, categories of personal information collected, categories of sources, purposes for collecting or selling, and categories of recipients with whom the personal information has been shared
  • Data Portability: If the specific data elements of personal information are provided to the requestor electronically, to the extent technically feasible, they must be provided in a readily transferable electronic format
  • Deletion: Individuals may request to have their personal information deleted
  • Disclosures about Sharing/Sale: Individuals may request an accounting of the disclosures, including sale, of personal information made to third parties; this significantly expands upon the existing California “Shine the Light” law
  • Opt Out: Individuals may object to the sale of personal information about them
  • Opt In: Minors or their guardian must affirmatively authorize the sale of the minor’s personal information

Looking for help with GDPR and CCPA Individual Rights Compliance?