Privacy regulations like GDPR and the emerging CCPA grant individuals, various rights over their own personal information. When individuals exercise these rights, organizations (in GDPR: data controllers), have an obligation to respond to the request within a predefined time frame.
Individual rights requests fall under several categories outlined in GDPR and CCPA.
|Know*||A report detailing what data is collected, processed, and transferred.||X||X|
|Access||Digital machine-readable copy of specific personal data||X||X|
|Forget / Delete||Delete personal data||X||X|
|Restrict||Limit the use of personal data when data cannot be deleted||X|
|Object**||Prevent the use of personal information||X||X|
|Data Transfer||Send personal information to a third party||X|
|Review Automated Decisions||Opt out from automated decisions or profiling||X|
*Only activities involving sale or disclosure, **Only activities involving the sale of personal information
Upon receiving a request, an organization must validate the identity of the individual and respond in a timely fashion. When an organization cannot comply within the mandated timeframe, they must issue an extension.
|Item||Due Date||Extension Date|
|GDPR||30 days after receiving||60 days after the due date|
|CCPA||45 days after receiving||45 days after the due date|