Direct Contact Integrations
Direct Contact Integrations allow DataGrail to automatically facilitate Privacy Requests with systems that do not have a dedicated API. This integration type utilizes an email workflow with a secure form that allows a configured system owner (processor) to action requests for both access and deletion.
Connect to DataGrail
Connecting a Direct Contact Integration to DataGrail is quick and easy: Integrating with Direct Contact
Any integration can be configured with direct contact capabilities for access and deletion! For example, if you would rather utilize API capabilities for access requests in an integration, but would prefer a human processor to action deletion requests, just edit the integration and select "Direct Contact" under Deletion Request in the left-hand menu.
Workflow
When a Direct Contact Integration is selected on a Privacy Request, processors will receive an email with a link to a form that allows them to take action. After the initial email, a reminder is sent every five days until the request has been completed or expires.
If the Direct Contact Processor does not respond in 14 days, the integration will either be skipped or will block the request, depending on your Deadline Automation Settings.
The Direct Contact workflow differs for each type of Privacy Request within DataGrail.
Access, Access Categories, Third Party Disclosure, Transfer, and Update Inaccuracies
For Access, Access Categories, Third Party Disclosure, Transfer, and Update Inaccuracies requests, Direct Contact Emails are sent to processors when the request reaches Active: Extracting Personal Data.
If a processor confirms data exists for the requester, they will be given the option to upload it directly on the form. Otherwise, they can respond that they do not hold data. Processors are given the option to add notes through the form, which will be surfaced to DataGrail users on the Privacy Request.
Access Categories requests only allow the processor to indicate if they hold data. This request type does not allow the processor to upload data.
Once the form is submitted, the integration is marked as complete within DataGrail. Any uploaded data from the processor can be reviewed or removed from the Privacy Request from within the DataGrail app.
Deletion and Object to Processing
For Deletion and Object to Processing Requests, Direct Contact Emails are sent to processors when the request reaches Active: Pending Delete. Direct Contact Integrations do not perform action during the Active: Extracting Personal Data state for this request type.
The Direct Contact form asks processors to delete, confirm no data is held for the requester, or indicate and provide an explanation for why data could not be deleted. The integration will be marked as complete once the form is submitted. The Integration Status in DataGrail will indicate the response made by the processor.
File Upload
Files uploaded to direct contact forms must meet the following criteria.
Allowed File Types:
.tsv, .csv, .json, .pdf, .txt, .xml, .xls, .xlsx
Total Combined Upload Limit: 200MB
Active Request Summary Emails
DataGrail offers a weekly Active Request Summary email notification to help Direct Contact Processors manage requests that require their action. These emails are configured at the integration-level, allowing you to choose which processors receive the notifications.
Active Request Summary Email Content
These emails will include the following information:
- Request ID The UUID of the Privacy Request in DataGrail.
- Due Date This is the due date of the direct contact form sent by DataGrail, not the due date of the request itself.
- Overdue? Whether the direct contact form is overdue. DataGrail gives processors 14 days to respond to requests.
- Form Link A link to the direct contact form, for the processor to action the request.
To enable the Active Request Summary Email for an integration:
- Navigate to the Integration you would like to enable the notifications for.
- Select Edit Integration.
- Under Direct Contact Settings, check Active Request Summary Email.
- Save the Integration.
Active Request Summary Emails are sent weekly on Mondays to the Direct Contact Email configured for the integration.
Security
As an added effort to minimize the sharing of PII through the direct contact integration process, direct contact form links auto-expire once the form has been submitted or after 14 days, depending on your Deadline Automation Settings. This ensures access to the form is limited to active requests.
Direct Contact Integrations can additionally be configured to require Single Sign-on.
Sharing a small amount of the data subject’s personally identifiable information (PII) is necessary on the form so the processor can locate and take action on the data subject’s records if they are present in their system. This type of data sharing can be covered by a Data Processing Agreement (DPA). Consult with your legal team to see if you have a DPA in place with your service providers.
Frequently Asked Questions
How do I stop processing a Direct Contact Integration?
A User can stop processing a Direct Contact system at any time during the data retrieval process by selecting the '...' icon and then Stop Processing on the Direct Contact Integration.
This will disable the processor form and stop further notifications for that particular system.
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.