Intro to Privacy Requests
Data Protection Regulations such as theGDPR provide data subjects with a range of privacy rights relating to the personal data a business may have collected on them.
Requests
Someone who makes a privacy request regarding the data held and used by your company is referred to as a Data Subject.
There are four basic types of requests that you can process in the DataGrail platform currently. These types are based off the CPRA selected rights by the data subject. Depending on the location of the requestor and what regulation applies to them they can ask for the following types of requests:
- Access (Download)
- Access Categories
- Correction
- Deletion
Depending on the type of request that is submitted by the requestor, the request will fall into two basic lifecycles, click each to learn more:
Policies
DataGrail supports legal Privacy Policies as they are put into place and will automatically show the applicable legal framework based on the Data Subject's geo-location identified from their IP Address.
Learn more about how this works by checking out our Intake Form Policies Based on Location article.
The four most prominent polices are outlined below.
CPRA (California Privacy Rights Act)
This is the amendment to CCPA, launching on January 1st, 2023. Under CPRA, businesses have to comply within 45 calendar days (with a 45 day extension where applicable) to be compliant with the following rights for California consumers (Data Subjects) :
- Privacy Rights
- Right to Access (Download)
- Right to Access Categories of Data Processed
- Right of Correction
- Right to Deletion (exceptions apply)
- Right to Data Portability
- Do Not Sell Rights
- Right to Opt-Out of the sale of data
- Right to NonDiscrimination when exercising their privacy rights
- Right to Opt-Out of Automated Decisioning
The intake form will also require the Data Subject to select their relationship with the business using the following choices :
- Customer
- Employee
- Former Employee
- Job Applicant
- Business Contact
- Other
- Authorized Agent (If applicable)
USSP (US Standard Policy)
The US Standard Policy covers privacy right operations across the United States in Virginia (VCDPA), Colorado (CPA), Utah (UCPA), and Connecticut (CTDPA) and will be the standard policy applicable if the Data Subject is within those states or states that do not currently have an active Privacy Policy.
Businesses have to comply within 45 calendar days (with a 45 day extension where applicable) to be compliant with the following Data Subject rights:
- Privacy Rights
- Right of Access (Download)
- Right of Correction
- Right of Deletion
- Right of Data Portability
- Do Not Sell Rights
- Right of Opt-Out of Data Sales (if applicable, through DG Opt-Out Form)
- Right of Opt-Out of Targeted Ads (through DG GTM + GPC solution)
GDPR (Global Data Protection Regulation)
Under the GDPR, data subjects have the following rights and controllers and processors have to comply within 30 days (with a 2 month extension where applicable) to be compliant with the following Data Subject rights :
- Privacy Rights
- Right of Access (Download)
- Right to Data Portability
- Right to Rectification
- Right to Erasure (i.e. right to deletion (exceptions apply))
- Right to Restriction of Processing
GDP (Global Default Policy)
The GDP covers all Data Subjects outside of standard regulated locations (such as CA, EU, etc.). Under the GDP, data subjects have the following rights and controllers and processors have to comply within 30 days (with a 2 month extension where applicable) to be compliant with the following Data Subject rights :
- Privacy Rights
- Right of Access (Download)
- Right to Deletion (i.e. right to deletion (exceptions apply))
Please reach out to your dedicated CSM or support@datagrail.io If you have any questions or would like to discuss the customization options noted above.
Disclaimer: The information contained in this message does not constitute legal advice. We would advise seeking professional counsel before acting on or interpreting any material.