Privacy Request Center Overview

The Privacy Request Center (PRC) is your central hub for your customers to exercise their privacy rights and build trust with your brand. Our self-service portal makes it easy to customize how you receive access, deletion, rectification, and other types of data subject requests (DSRs) for processing within our platform.

The Privacy Request Center is a hosted form on your domain (ours is hosted on preferences.datagrail.io) which allows Data Subjects to easily submit privacy requests to your organization.

Geolocation

The Privacy Request Center dynamically offers Data Subjects the relevant privacy rights in their country/region based on the location reported by the browser (i.e. if the detected location is France, GDPR request options will auto-populate). The Privacy Request Center can also support translating the form based on the data subjects detected location.

The Data Subject can always change their location if they feel their rights are more applicable to a different region, such as those traveling but making a privacy request in their home state.

Reported and Detected Locations

In the Request Manager portal, privacy managers will be able to see the location that was selected, as well as if it differed from their detected location.

Submitting a Request

Once the privacy right to be exercised is selected, the Data Subject will be prompted to enter the necessary details needed to process the request. Each request type includes various fields by default to ensure the correct information is received to process the request.

Customizing Intake Forms

The text and fields in this form are configurable. Learn more about the standard configuration options here

Before submitting the request, the Data Subject must complete a CAPTCHA, to reduce spam and fraud during the intake process.

DataGrail offers an authorized agent workflow for institutions or other people to make requests on behalf of data subjects.

Email Verification

Once a data subject submits a privacy request, they will be asked to confirm their email address. This is referred to as Email Verification and is a safeguard against spam and requests illegitimately made on behalf of others.

The verification email and all other email messages sent to data subjects are customizable with Email Templates.

The Data Subject has 7 days to verify their identity. If the verification is not completed within 7 days, the request will automatically move to closed and the data subject will receive an email that their privacy request was rejected. Verified requests will immediately move to the Wizard, so your team can begin processing.

A reminder email will be sent to Data Subjects who do not verify within 24 hours.

Verification Links

Verification links can only be clicked once. If a Data Subject has already verified their request and attempts to use the verification link again, they will see a 404 page.

Phone Verification

In addition to Email Verification, DataGrail offers Phone Verification, which provides an additional layer of security and the verified phone number can be used as an identifier. This verification is optional and can be enabled by customizing your intake form to include the Phone Number question.

The flow for Phone Verification is as follows:

1. Data Subject receives the same email verification email with a link to verify their email.
2. Once email is verified, as part of the same flow, the Data Subject will be prompted to verify their phone number.
3. The Data Subject will receive a text message with a code to enter into the form to verify their phone number.
4. Once the phone number is verified, the request can continue forward for processing.

Viewing Privacy Requests

Once the request is submitted, the request details will be logged to DataGrail. You can visit the Request Queue to see the current list of all privacy requests.

From here, Request Manager users can click into each request and begin processing!