Direct Contact Integrations
Direct Contact Integrations allow DataGrail to automatically facilitate Privacy Requests against systems without a dedicated API. Direct Contact Integrations utilize an email workflow with a secure form that allows a configured processor to action requests for both access and deletion.
Users
Only the following users will have access to connect and manage Direct Contact Integrations:
- Super Admin
- Connections Manager
Workflow
When a Direct Contact Integration is selected on a Privacy Request, processors will receive an email with a link to a form that allows them to take action. After the initial email, a reminder is sent every five days until the request has been completed or expires. If not responded to within 14 days, the integration will either be skipped or will block the request, depending on your Deadline Automation Settings.
The Direct Contact workflow differs for each type of Privacy Request within DataGrail.
Access, Access Categories, Third Party Disclosure, Transfer, and Update Inaccuracies
For Access, Access Categories, Third Party Disclosure, Transfer, and Update Inaccuracies requests, Direct Contact Emails are sent to processors when the request reaches Active: Extracting Personal Data.
If a processor confirms data exists for the requester, they will be given the option to upload it directly on the form. Otherwise, they can respond that they do not hold data. Processors are given the option to add notes through the form, which will be surfaced to DataGrail users on the Privacy Request.
Access Categories requests only allow the processor to indicate if they hold data. This request type does not allow the processor to upload data.
Once the form is submitted, the integration is marked as complete within DataGrail. Any uploaded data from the processor can be reviewed or removed from the Privacy Request from within the DataGrail app.
For more information on allowed file types and upload limits on Direct Contact forms, please see: File Uploads
Deletion and Object to Processing
For Deletion and Object to Processing Requests, Direct Contact Emails are sent to processors when the request reaches Active: Pending Delete. Direct Contact Integrations do not perform action during the Active: Extracting Personal Data state for this request type.
The Direct Contact form asks processors to delete, confirm no data is held for the requester, or indicate and provide an explanation for why data could not be deleted. The integration will be marked as complete once the form is submitted. The Integration Status in DataGrail will indicate the response made by the processor.
Connect to DataGrail
Connecting a Direct Contact Integration to DataGrail is quick and easy: Integrating with Direct Contact
Any integration can be configured with direct contact capabilities for access and deletion! For example, if you would rather utilize API capabilities for access requests in an integration, but would prefer a human processor to action deletion requests, just edit the integration and select "Direct Contact" under Deletion Request in the left-hand menu.
File Upload
Direct Contact Processors have the opportunity to upload Data Subject PII on the direct contact form emailed to them on Access Requests in a valid state.
Allowed File Types:
.tsv, .csv, .json, .pdf, .txt, .xml, .xls, .xlsx
Total Combined Upload Limit: 200MB
Security
DataGrail does not store any PD, PI, or PII from integrations and instead sends it directly to the customer's cloud storage bucket so the customer can determine their required retention/purging timeline.
As an added effort to minimize the sharing of PII through the direct contact integration process, direct contact form links auto-expire once the form has been submitted or after 14 days, depending on your Deadline Automation Settings. This ensures access to the form is limited to active requests.
Sharing a small amount of the data subject’s personally identifiable information (PII) is necessary on the form so the processor can locate and take action on the data subject’s records if they are present in their system. This type of data sharing can be covered by a Data Processing Agreement (DPA). Consult with your legal team to see if you have a DPA in place with your service providers.
Frequently Asked Questions
How do I stop processing a Direct Contact Integration?
A User can stop processing a Direct Contact system at any time during the data retrieval process by selecting the '...' icon and then Stop Processing on the Direct Contact Integration.
This will disable the processor form and stop further notifications for that particular system.
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.