Data Subject Verification

DataGrail offers multiple methods to verify the identify of Data Subjects submitting a Privacy Request. Verification is critical in safeguarding against spam and requests illegitimately made on behalf of others.

Only requests submitted through the Privacy Request Center require verification by default. Requests submitted through email, phone, and API are automatically considered verified. Your team always has the option to verify a request in the DataGrail Wizard.

DataGrail supports the following verification methods:

• Email Verification (default)
• Phone Verification
• Authorized Agent
• Smart Verification

Verification For All Privacy Request Intake Methods

Contact support@datagrail.io if you would like to require verification automatically for all Privacy Request intake methods.

Email Verification

All Privacy Requests submitted through the Privacy Request Center will automatically send a verification email to the Data Subject.

Workflow

The flow for Email Verification is as follows:

1. After submitting a request, the Data Subject receives an email that contains a verification link, which is valid for 7 days.
   1. If the link is not opened within 24 hours, a reminder email will be sent to the Data Subject.
   2. If the link is not opened within 7 days, the Data Subject will receive a Verification Rejected email, and the Privacy Request will automatically move to Closed: Unverified.
2. If the Data Subject opens the link and selects Verify Email within the 7-day window, the request will immediately move to the Wizard State, so your team can begin processing.

A Data Subject can only open the verification link once. If they attempt to open the link again, they will see an error page indicating that the request has already been verified.

Email Templates

The verification email and all other email messages sent to Data Subjects are customizable with Email Templates.

Phone Verification

Phone Verification can be configured to provide an additional layer of security that can be used as an identifier. This verification is optional and can be enabled by customizing your intake form to include the Phone Number question.

Workflow

The flow for Phone Verification is as follows:

1. Data Subject receives the same email verification email with a link to verify their email.
2. Once email is verified, as part of the same flow, the Data Subject will be prompted to verify their phone number.
3. The Data Subject will receive a text message with a code to enter into the form to verify their phone number.
4. Once the phone number is verified, the request can continue forward for processing.

Authorized Agent

There are scenarios where a Data Subject will require a request to be submitted on their behalf by an agent, or someone who has their power of attorney.

DataGrail's Authorized Agent workflow through the Privacy Request Center allows agents to securely and seamlessly submit requests on behalf of the Data Subject, while requiring verification from both parties.

Enabling Authorized Agent

Authorized Agent is enabled at the Privacy Request Policy level. To add Authorized Agent to a Request Policy:

1. From the left-hand menu, select Request Policies.
2. Select the relevant policy.
3. Use the Authorized Agent toggle to enable or disable the feature for the locations covered by the policy.

Changes will be saved automatically. Once toggled on, Authorized Agent will only affect requests submitted after the toggle was turned on.

Workflow

The flow for Authorized Agent is as follows:

1. After a request is submitted, the Authorized Agent must complete DataGrail's standard email verification. They will additionally be prompted to upload a document that proves their status as an Authorized Agent.
2. Once the agent has verified, the Data Subject will receive an email and must complete DataGrail's standard email verification. They will additionally be prompted to approve the Authorized Agent.
3. If the Data Subject does not authorize the request, it will automatically move to Closed: Unverified.
4. If both parties complete the verification steps, the request will move to the Wizard State to be reviewed.
5. In the Wizard State, a DataGrail user must review the answers from the Data Subject as well as the documentation from the Agent before approving the request.
   1. If you reject the request, it will move to Closed: Unverified and the Data Subject will receive an
   2. If you accept the information they submitted, the Data Subject will receive a Verification Rejected email, and the Privacy Request will automatically move to Closed: Unverified.

Agent Verification Upload Limit

The file upload is limited to a combined size of 10MB and each file must be in one of the following formats: .pdf, .doc, .docx, .png, .jpg, .jpeg, .txt or .rtf

Smart Verification

Smart Verification is an optional feature that allows additional data points to be leveraged in verifying a requester's identity for a Privacy Request. With Smart Verification enabled, DataGrail allows compliance teams to:

• Avoid collecting additional PII
• Verify phone numbers associated with consumer’s account record
• Ask custom questions related to consumer’s account record
• Require consumer to confirm, under penalty of perjury that information is correct
• Approve or reject consumer responses using the system of record.

Enabling Smart Verification

Smart Verification enablement is straightforward, but must be configured by the DataGrail Support Team (support@datagrail.io).

Choosing a Legal Framework

Smart Verification is intended to be used on only the CPRA Legal Framework, but this can be enabled on any Privacy Request Policy within DataGrail.

Choosing a System of Record

Smart Verification requires a supported System of Record to be integrated with DataGrail. This allows DataGrail to automatically verify additional data points.

DataGrail only supports a single System of Record to be used with Smart Verification, so we recommend you choose a system that will contain data for the majority of your data subjects (e.g. CRM or Ecommerce Platform). If you choose a System of Record that is too specific, most requesters will fail the verification process.

Supported Systems of Record

• Autopilot
• Delighted
• Eloqua
• Marketo
• Mixmax
• Outreach
• Salesforce
• SalesLoft
• SendinBlue
• Shopify

Choosing Smart Verification Questions

Smart Verification questions represent the additional data points you want your data subjects to verify. These questions should be applicable to the majority of your users, as overly specific questions will cause data subjects to fail the verification process.

Example Questions Include:

• What was the order number of your last purchase?
• What was the date of your last appointment?

At least two questions are required, but we recommend adding more to ensure data subjects can choose a question they have an answer to.

Phone Numbers

Phone number will always be a required data point if the requester's email has an associated phone number in the System of Record. This question does not need to be added manually.

Workflow

Smart Verification operates using a point system. Each data point a requester verifies is considered a point in the Smart Verification workflow.

Each right to privacy requires a different number of data points in order for a request to be verified:

• Access: 3 Points
• Deletion: 3 Points
• Access Categories: 2 Points

The flow for Smart Verification is as follows:

1. When a Data Subject submits a request through a legal framework with Smart Verification enabled, they will be taken to the Smart Verification Page, after completing Email Verification. Email verification counts as one point.
2. If a phone number in your System of Record found for the Data Subject, they will be prompted to verify it. Phone verification grants one additional point.

3. Lastly, the Data Subject is prompted to answer any configured Smart Verification Questions. Each correct response grants one additional point.

4. Once the Data Subject completes the verification process, the request will move to the DataGrail Wizard.
5. The Data Subject responses to Smart Verification questions in addition to what DataGrail fetches from your System of Record are included in the Wizard for a DataGrail user to approve. Regardless of whether each response matches the data point in the System of Record, the Request Admin has the ability to approve or reject the verification.