Skip to main content

Deletion Request Lifecycle

When a Data Subject wants all their data deleted from your systems, they will submit a Deletion request. The purpose of a deletion request is to remove any of the Data Subject's personally identifiable information from systems that your organization uses.

Request Submission

When a Privacy Request is created, its workflow is partially determined by its submission method. Requests submitted through API, Toll-Free Number, and Email Forwarding will automatically enter the Active: Wizard state.

Requests created from the Intake Form will enter the Active: Pending Verification state immediately after creation.

Active: Pending Verification

Once a request enters the verification state, an email will be sent to the Data Subject with a link to verify their identity. This ensures the Data Subject owns the email they are requesting information for.

The Data Subject has 7 days to verify their identity. If the verification is not completed within 7 days, the request will automatically move to Closed: Unverified. Verified requests will immediately move to the Active: Wizard state. A reminder email will be sent to Data Subjects who do not verify within 24 hours.

Verification Links

Verification links can only be clicked once. If a Data Subject has already verified their request and attempts to use the verification link again, they will see a 404 page.

Email Templates: Email Verification, Email Verification Reminder

Closed: Unverified

If the Data Subject fails to verify their email after 7 days, they will receive a confirmation that their Privacy Request was rejected, and the request will automatically move to closed.

Email Templates: Verification Rejected

warning

Requests in the Closed: Unverified unverified state cannot be reopened. A new Privacy Request must be submitted if a Data Subject fails to verify their email.

Active: Wizard

The Request Wizard gives Privacy Managers an opportunity to review Data Subject information and confirm Privacy Requests are configured with the correct Legal Framework and other information.

At the end of the wizard, Privacy Managers are given the option to send Data Subjects a receipt of the request.

Additionally, Privacy Requests submitted via API, Toll-Free Number, and Email Forwarding are given an option to verify the Data Subject's email at the end of the wizard. If this option is selected, requests will move to Active: Pending Verification and directly to Active: Extracting Personal Data, if verified.

info

The Wizard State can be automatically skipped for verified requests by configuring your Wizard Automation settings.

Email Templates: Privacy Request Confirmation

DataGrail Notifications: Request Status - Pending Wizard

Active: Extracting Identifiers

If your account is configured to use Multiple Identifiers, configured integrations will begin to extract them in this state. Otherwise, the request will move immediately to Active: Extracting Personal Data.

Once extraction is complete, requests will move to Active: Extracting Personal Data.

Active: Extracting Personal Data

In this state, API integrations will begin querying for Data Subject PII to determine what needs to be deleted for the Data Subject. Use the Integration Status to see where configured integrations are in the extraction process.

Privacy Requests will remain in this state until all integrations complete successfully or are stopped. Any retrieved data will be uploaded to your cloud storage bucket.

If an integration encounters an error, it will automatically be retried the next day. A Privacy Request cannot proceed if any integration exists with an error. All unfinished integrations will be retried daily. If an integration shows a processing status for an extended period of time, it may be an Asynchronous Integration waiting for the third-party to complete processing.

Any "processing" or "failed" integration can be manually skipped by selecting the three dots on the right-side of the integration and then Complete Request. Marking an integration as completed will ignore any data retrieved and cannot be undone.

Once all integrations complete, Privacy Requests will automatically move to Active: Pending Action

Direct Contact & Whole-Record Deletion Integrations

Direct Contact Integrations do not send emails to processors in this state. Emails will be sent in the Active: Pending Delete state. Additionally, integrations that utilize whole-record deletion will not be started in this workflow state.

These integration types will show a Not Started status in Active: Extracting Personal Data.

Active: Pending Action

This state allows Privacy Managers to review retrieved data and determine what they would like to delete on behalf of the Data Subject. For more information on how to select/deselect data fields on deletion requests, please see Editing PII Data Files.

Direct Contact and Whole-Record Deletion Integrations do not support reviewing data before it is deleted. If selected, these integration types will attempt to delete data in the Pending Delete state, if it exists.

Once all data has been reviewed, select Process Request to review the final confirmation email to the Data Subject and move the request to Active: Pending Delete.

DataGrail Notifications: Request Status - Pending Action

Active: Pending Delete

In this state, all selected API integrations will initiate deletion and Direct Contact Integrations will send emails to processors. Privacy Requests will remain in this state until all integrations complete successfully or are stopped. Use the Integration Status to see where configured integrations are in the deletion process.

If an integration encounters an error, it will automatically be retried the next day. A Privacy Request cannot proceed if any integration exists with an error. All unfinished integrations will be retried daily. If an integration shows a processing status for an extended period of time, it may be an Asynchronous Integration waiting for the third-party to complete processing.

Any "processing" or "failed" integration can be manually skipped by selecting the three dots on the right-side of the integration and then Complete Request. Marking an integration as completed cannot be undone.

Once all integrations complete, Privacy Requests will automatically move to Closed: Notifying Requester

Direct Contact Automation

Direct Contact Processors are given 14 days to respond to requests from DataGrail. After 14 days, the integration will either be skipped or block the Privacy Request from proceeding, depending on your Deadline Automation Settings.

Closed: Notifying Requester

Once this state is reached, Data Subjects will receive an email indicating their deletion request has been processed.

Email Templates: Deletion Request Results

Closed: Deleted

This state indicates the Data Subject has successfully received the Deletion Request Results email.

 

Need help?
If you have any questions, please reach out to your dedicated CSM or contact us at support@datagrail.io.

Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.