Policies
Policies govern what Privacy Rights are available to Data Subjects on the Privacy Request Center based on their detected location. Privacy Request Policies typically align with regulations such as GDPR and CPRA to ensure each individual's privacy rights are respected and fulfilled.
DataGrail provides pre-built Request Policies for common privacy regulations across the globe to make maintaining compliance easy.
The policies you configure for Request Manager are linked to Consent Policies. While you can control the consent behavior for each policy in the Consent Management Policies Page, the name of the policy and what locations it's associated with are determined by the Request Manager Policy.
Example: If a new policy is created in Request Manager, this policy will also be made available in Consent. If you edit the name, location, or status of the Request Manager policy, these fields will also be edited for the corresponding Consent Policy.
Editing Request Policies
Opening the Policies page in the left-hand menu of DataGrail will allow you to view all Privacy Request Policies configured on your account. This page is made available for the Super Admin, Request Admin, Request Agent, Consent Management Admin, and Consent Management Edit user roles.
This page provides a high-level overview of the policies enabled on your account, whether they are active, and the Privacy Rights they afford.
To edit the configuration for a particular Request Policy:
- Select the policy from the table.
- Edit the desired fields.
- Select Save Changes.
Saved changes will immediately be applied to your Privacy Request Center. Existing Privacy Requests are not impacted, but any new selections made in the Wizard will reflect the updated policies.
The fields on the Privacy Request Policy Details page represent the following:
| Field Name | Description |
|---|---|
| Name | The name of the policy as displayed on the Intake Form to Data Subjects and to internal users. |
| Description | The internal-only description of the policy. |
| Locations | The locations in which this Request Policy is applied. |
| Status | Whether or not the policy is active in Request Manager. |
| Authorized Agent | Whether or not Authorized Agent Requests can be submitted under this policy. |
| Include Privacy Rights | Whether this policy affords any Privacy Rights to Data Subjects. The Privacy Request Center will show no rights if this option is disabled. |
| Privacy Rights | The Privacy Rights available on this policy, which can include: Access, Access Categories, Third Party Disclosure, Deletion, Data Portability (Transfer), Object to Processing, Update Inaccuracies, Opt Out, Sale Disclosure, and Disclosure. |
| Request Duration | How long your company has to fulfill this privacy request. |
| Extension Period | How long your company can extend the deadline to fulfill a privacy request after an extension is filed. |
To add new policies to your account, please contact support@datagrail.io
Deactivating Policies
You may choose to deactivate an active policy if, for example, you have created a "roll-up" policy of a selection of states that have identical rights and deadlines associated to them.
If you deactivate an active policy, please be aware that:
- Any policy-specific customizations defined within the Privacy Request Center will no longer be applied.
- Any workflows working with the policy set as a condition will evaluate to false.
- On your next publish action of DataGrail Consent to live websites, any users of your website subject to consent policies will be initialized to the defaults defined in the next less specific region (i.e. if you remove a state policy, then we will apply any policies with the United States as the assigned location).
Application of Request Policies
Privacy Request Policies govern what Privacy Rights are offered to data subjects based on their automatically detected location.
Policy Assignment
Request Policies can be associated with granular location like a state, a broad location like a country, or both! When a Data Subject visits your form, the policy with the most granular location will always be applied.
For example, if a Data Subject from California visits your Intake Form, the CPRA Request Policy associated with California will always be applied over the US Standard Request Policy associated with the United States because it is more specific.
If the Data Subject is geolocated to Connecticut, but no specific policy for this state exists, the broader US Standard Request Policy will be applied.
If the Data Subject's location does not fall under any location-specific Request Policies, the Global Privacy Rights (Default Policy) will always be applied.
The Data Subject has the ability to change their location on the Privacy Request Center at any time, allowing a different Request Policy to be applied.
Displaying Privacy Rights
The geolocated Request Policy is applied immediately when a Data Subject loads your Intake Form. When they view this page for the first time, they will only be shown the Privacy Rights configured for their location.
If a Request Policy exists with no assigned Privacy Rights, the Data Subject will be shown a message indicating that their location is not supported.
Automatic Policy Updates
As privacy laws change, DataGrail can automatically add policies for new privacy legislation in your account. DataGrail can additionally modify your existing policies to ensure locations, privacy rights, and durations match what is required by the legislation.
Turn this setting on or off in Settings and Policies.
- If enabled, DataGrail will create a new policy that aligns with the legalized regulation and, if necessary, reassign a location from one policy to another.
- If disabled, DataGrail will create a new policy that aligns with the legalized regulation but will not set it as active. You will have the ability to activate this later, if desired.
You cannot activate an inactive policy that contains the same location as another policy. A location can only be attached to one policy at a time.
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.