Skip to main content

Processing Requests Overview

When processing a Privacy Request in DataGrail there are always two workflow states that require review from Privacy Managers:

  • Active: Wizard: This state allows Privacy Managers to review Data Subject information before querying your connected systems for PII.
  • Active: Pending Action: This state allows Privacy Managers to review retrieved data before executing deletion or providing results to the Data Subject.

DataGrail additionally provides a set of Manual Actions that allow you to pause, close, or request an extension on a Privacy Request at any time.

Data Subject Requests Page

The Data Subject Requests page in the left-hand sidebar displays all Privacy Requests submitted to your organization. From here, you can search, filter, and sort the list of requests. When you want to take action on a Privacy Request, select the row in the list to navigate to the Request Details page.

Request Queue

The left-hand sidebar includes multiple filters that allow you to isolate requests by parameters like Request Type, Request Status, Deadline, and more!

DataGrail also allows all Privacy Requests to be exported as a TSV or CSV by selecting Download in the top-right corner of the Data Subject Requests page.

Request Lifecycle

The lifecycle of a Privacy Request and the integrations that are processed depends on the Privacy Right being exercised. The lifecycle for each Privacy Right in DataGrail can be found below:

Integration Statuses

Integration Statuses additionally provide insight into how your integrations are progressing through each DataGrail Request Lifecycle outlined above.

API Integration Details

When processing Privacy Requests with DataGrail, it is important to understand the technical differences between your integrations, as these details influence how your requests are processed and the time needed to do so.

Finding Details About Your Integrations

To understand the type and deletion method for any Integration, select it from the Integrations Page, and click View Connection Instructions. The capabilities will be listed in the linked document.

Synchronous API

Synchronous API integrations operate in a real-time manner, where each request is processed immediately by the system, while the DataGrail client waits for a response. Since the system processes DataGrail's API requests immediately, these integrations generally complete access and deletion most quickly, usually in a few minutes.

Queueing API Requests

DataGrail utilizes an internal queue for synchronous API requests, to ensure fairness in processing across all customers.

Asynchronous API

Asynchronous API integrations do not provide DataGrail with an immediate response to API requests. After the processor accepts the API request, DataGrail will automatically "poll", or check the status of the request, hourly.

Asynchronous integrations will show a "processing" status in DataGrail until the API returns a complete status during one of these hourly polls. The processing times of asynchronous integrations are completely dependent on the processor, and in some cases, can take up to two weeks to complete.

Best Practices For Processing Privacy Requests With Asynchronous Integrations

It is important to give asynchronous APIs the most time possible to complete requests. To do this, it is crucial to execute any manual steps in the DataGrail workflow as soon as possible, so API requests can be made:

  1. As soon as a Data Subject verifies their email, complete the Wizard step of the DataGrail workflow. Completing this step will allow your API integrations to initialize and make their first requests.
  2. Review deletion requests in the Pending Action state quickly. Deletion requests initiate PII deletion immediately after this state. To ensure asynchronous integrations have the most time to process, it is critical that requests are not kept in the Pending Action state for an extended period of time.
Deletion Behavior Configuration

Asynchronous integrations offer a Deletion Behavior configuration option on the integrations page, allowing you to expedite your Privacy Requests.

deletion behavior configuration

Mark integration as complete when a deletion request is successfully submitted:

  • This configuration option allows the integration to be marked as "complete" in DataGrail as soon as the asynchronous process accepts the API request from DataGrail. DataGrail will not poll asynchronous integrations with this option enabled.

Continue processing until the deletion request is completed:

  • This is the standard deletion behavior for an asynchronous integration. DataGrail will show a "processing" status for the integration until the system indicates the request has been actioned.

Deletion Methods

DataGrail utilizes multiple deletion methods for Data Subject Requests, Standard Deletion and Whole Record Deletion, which are described below.

Standard Deletion

DataGrail's standard deletion method is used for the majority of API integrations and offers the most functionality within the DataGrail portal.

The workflow for an integration using standard deletion is as follows:

  1. Once a deletion request moves to the Extracting Personal Data state, the integration will automatically query the source system for data subject PII.
  2. In the Pending Action state, privacy managers will have the ability to review and deselect any PII to be deleted.
  3. Finally, in the Pending Delete state, the integration will only delete fields/records selected in the previous Pending Action state.

Whole Record Deletion

In the case an API does not support DataGrail's standard deletion method, DataGrail utilizes Whole Record Deletion to provide the most automation possible with your integrations.

The primary difference between these two deletion types is the ability to first query for PII in the Extracting Personal Data state. Whole Record Deletion integrations cannot first query systems for PII and do not support the selection of individual records for deletion.

The workflow for a Whole Record Deletion integration is as follows:

  1. In Extracting Personal Data state, the integration will be marked as "Access Skipped".
  2. In the Pending Action state, privacy managers will only have the ability to select/deselect the entire integration.
  3. In the Pending Delete state, if selected, the integration will attempt to delete all data subject PII (if any) in the system.
Whole Record Deletion Integrations and Workflow Automations

Whole Record Deletion Integrations should not be used in "data found" conditions in workflow automations. Since these integrations do not retrieve data on deletion requests, it will always be treated as "no data found".

 

Need help?
If you have any questions, please reach out to your dedicated Account Manager or contact us at support@datagrail.io.

Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.