Initiating Privacy Requests with DataGrail
Processing privacy requests is a very manual process that can be prone to human error and increase compliance risk. DataGrail's Privacy Intake process helps customers reduce hours spent managing DSARs through automation.
Many locations, including California and the EU, allow individuals to request what information a company maintains about them and request that those records be deleted.
DataGrail customers have the ability to handle privacy requests through multiple methods [including intake form, email forward, and toll-free #], verifying the identity of the requester, and maintaining an activity log for compliance.
How it Works
DataGrail Customers can host a DataGrail-powered Privacy Request Form on their privacy domain. This is separate from the Do Not Sell Form. Based on the IP address of the user accessing the form, those specific policy requirements will automatically update and be shown on the form (learn more about this in the article "Verifying Data Subject Location").
Additionally, hCAPTCHA is included on forms as an additional measure to prevent against spam and fraud in the privacy request process.
- Authorized Agents Workflow: CCPA regulations (§ 999.326) stipulate companies must provide a way for authorized agents to make requests on behalf of data subjects. For this to be available on the form, a customer must have Smart Verification enabled.
Note: The text and fields in this form are configurable. Learn more about the standard configuration options here
Once a data subject submits a privacy request, they will be asked to confirm their email address. This is a safeguard against spam and requests illegitimately made on behalf of others.
Note: This and all other email templates sent to the data subject are customizable. Learn more about the email templates available to your team here
Viewing Privacy Requests
Once the request is submitted, the request details will be logged to DataGrail. Admin users can go to Request Manager > Requests to see the current list of all privacy requests.
Email - email address captured in the Privacy Intake Form
Type - privacy request type (can be access, access category, deletion, rectification, pause processing)
Status - request status can fall into one of four main categories:
- Active - request is in progress and is in one of the following states: Pending Action, Wizard, Pending Recruiting, Extracting Personal Data
- Unverified - request is pending the data subject's email verification
- Processed - request is ‘Pending Delete’ or in a ‘Notifying Requestor’ state
- Closed - request has been closed with one of the following reasons: Nonresponsive, Spam, Requester Downloaded, Requester Didn’t Download, Responded to Requestor, Deletion Completed
Assignee - who the privacy request has been assigned to
Deadline - the number of days from request submission until the request is due
From here, Admin users can click into each request and begin processing!
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.