Authenticated DSR Handling
Authenticated DSR (Data Subject Request) Handling is a feature added to the existing Direct Contact Integration feature within the Integrations tab. Allows customers to select if a Direct Contact connection (including Hybrid Deletion) is meant for a 3rd party processor or for an Internal System Owner, and in the latter case, they will be able to gate that flow behind their login SSO.
User Capabilities
Only the following users will have access to the Integrations tab and Authenticated DSR Handling functionality:
- Connections Manager (if assigned to the Integration in question)
- Super Admin
Combining any user roles that do not have access to Authenticated DSR Handling functionality with any of the above user roles that do have access to this functionality will grant a user access to this bulk functionality. I.e. If a user had a Request Agent role, adding a Connections Manager role to their user record in DGAdmin would then allow them access to the Authenticated DSR Handling functionality.
Authenticated DSR Overview
Connection Modal
To connect to an Integration that will be utilized for privacy request compliance, customers must go into the DataGrail platform, navigate to the Integrations tab, clicking on the Configure New Integration button to search for the integration in question. Once found, clicking the Configure button will open up the connection modal, allowing the user to select between the Third Party and Internally supported options for Authenticated DSR Handling setup.
Third Party Processor
When a customer selects to configure a new integration that is either a Direct Contact Integration or is an integration with Hybrid Deletion support, this option will be selected by default. This option should remain selected if customers are going to send requests to external 3rd party processors (eg. Fedex). With this option, customers are still required to provide an email address for the processor (eg. privacy@fedex.com) and a name for the connection. The other fields on this modal are unchanged functionally and are optional to complete.
With this option, as before, anyone that has the direct contact link is able to view and interact with the form.
Internal System Owner
Customers should select this option if they are going to send requests to an internal system owner (eg. their Salesforce Admin) to help facilitate the processing of this privacy request.
When a customer selects this option, an additional checkbox labeled SSO Login will appear, checked.
With SSO
When the SSO Login box is checked, an additional dropdown field "Direct Contact SSO Group" will appear. This dropdown will be populated with all available Permission Groups.
Note: this checkbox is checked by default when the Internal System Owner Recipient option is selected.
A user must have a Super Admin or Connections Manager role to be able to respond to Direct Contact emails. Specifically, for users with a Connections Manager role, only those enabled (assigned to a Permissions Group) for a specific integration can access it within the Authenticated DSR Handling workflow.
Assigned users will leverage their existing login credentials to the DataGrail platform to now access the Direct Contact forms (received for the completion of access/deletion requests). Independently, if a user is assigned or not, any user with a Super Admin role will always be able to access any Direct Contact response form.
Without SSO
If a customer does not want to use SSO Login, they should uncheck this box. With this option, customers are still required to provide an email address for the internal system owner (eg. john.doe@customer.com) and a name for the connection. The other fields on this modal are unchanged functionally and are optional to complete.
When the SSO Login checkbox is unchecked, there are no restrictions or validations on the email address that a customer can add in for the system owner in the processor email address text box. For this option, as like the Third Party Processor workflow, anyone that has the direct contact link is able to view and interact with the form.
Request Manger > Privacy Request View
In the DataGrail platform, when viewing an individual privacy request, customers are able to see logs related to the outreach and associated response with both API and Direct Contact integration types. In the request view, there will be a clear delineation between which emails have been sent to a third party processor and which ones have been sent to an internal system owner.
Email Templates
To facilitate communication with the processor of Direct Contact Integrations, for both access and deletion requests there are two emails that are sent to the processor email address: the initial email that is sent when the DataGrail system ‘kicks off’ the Direct Contact Integration and the secondary (or reminder) email that is sent standardly 5 days after the initial email.
As before, all email templates associated with Direct Contact Integrations are not applicable for translations; English is the only available language.
Third Party Processor
The existing email templates for Direct Contact Integrations where the connection type ‘Third Party Processor’ is selected have been renamed to: Direct Contact Request (Third Party Processor) and Direct Contact Request Reminder (Third Party Processor) respectively. Additional context of the relationship of these email templates to the connection type has been added into the description within the email template, though the default copy of the language in the email templates has not been modified.
For existing customers, any modifications/alterations made to these templates previously will be retained and not be overwritten. These previous modifications will only apply to these Direct Contact Third Party Processor email templates and will not be applied to the new Direct Contact Internal System Owner email templates. Regardless of any previous modifications, customers will be able to make copy adjustments to these templates.
Internal System Owner
With the addition of the new flow for Internal System Owners, two new email templates for the initial as well as for the remainder email have been added to the list of available Email Templates. These email templates have been named: Direct Contact Request (Internal System Owner) and Direct Contact Request Reminder (Internal System Owner) respectively.
Additional context of the relationship of these email templates to the connection type has been added into the description within the email template, and there is default copy of the language in the email templates. Customers will be able to make copy adjustments to these templates. The email templates associated with the ‘Internal System Owner’ nomenclature will be sent to both Internal System Owner connection types: with and without SSO.
Privacy Request > Direct Contact Form
Direct Contact forms are sent for both access and deletion request types to the email address associated with the Direct Contact Integration connection.
When associated with an access request type, the Direct Contact form that is sent allows the processor the ability to either (1) upload information on the data subject in question or (2) confirm that there is no data present associated with the data subject requester in said system.
When associated with a deletion request type, the Direct Contact form that is sent allows the processor the ability to either confirm (1) that they have deleted PII associated with the data subject requester or (2) confirm that there is no data present associated with the data subject requester in said system to delete.
Third Party Processor
The copy on this form has not been modified with the addition of the Internal System Owner connection option.
Internal System Owner
A new copy has been created for this kind of Direct Contact Integration connection that removes language and reference to the ‘customer’ but also adds in the System Name of the Integration the user is being contacted about.
The Integration modal UI has been visually updated for all Integrations, including Direct Contact Integrations. Additionally, API Integrations will now show hidden fields with past provided credentials and Customers are still required to provide all fields if they want to update a connection because partial updates are still not supported.
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.