Smart Verification of Data Subject's Identity
By default, DataGrail verifies a data subject's identity through a verification message sent to their email. DataGrail also offers "Smart Verification" functionality, with an increased number of data points that must be verified in order to process a Privacy Request.
Smart Verification is an optional feature that allows additional data points to be leveraged in verifying a requester's identity for a Privacy Request. This feature was originally introduced for California's CCPA/CPRA Regulations.
CPRA Regulations recommend business verify privacy requests with up to 3 data points + signing, depending on the type of request. CPRA prohibits businesses from collecting more PII during the verification process so DataGrail leverages existing data already on file to verify CCPA requests. With Smart Verification enabled, DataGrail allows compliance teams to:
- Avoid collecting additional PII
- Verify phone numbers associated with consumer’s account record
- Ask custom questions related to consumer’s account record
- Require consumer to confirm, under penalty of perjury that information is correct
- Approve or reject consumer responses using the system of record.
Smart Verification is also required in order to utilize Extended Verification.
Smart Verification is not enabled by default and must be configured in conjunction with the DataGrail support team. Smart Verification was originally intended to be used only with the CPRA Legal Framework, but can be enabled on any policy within DataGrail. It must be enabled on all rights to privacy within a given Legal Framework.
Smart Verification requires a System of Record (SOR) to be connected to DataGrail, in order to verify these additional data points.
Supported Systems of Record
- Oracle DB
- Revolve Internal
Smart Verification enablement is straightforward, but does require the assistance of the DataGrail Support Team (email@example.com)
Choosing a System of Record
Smart Verification requires a supported System of Record to be integrated with DataGrail. This allows DataGrail to automatically verify additional data points. Supported Systems of Record are listed above.
DataGrail only supports a single System of Record to be used with Smart Verification, so we recommend you choose a system that will contain data for the majority of your data subjects. If you choose a System of Record that is too specific, most requesters will fail the verification process.
Choosing Smart Verification Questions
Smart Verification questions represent the additional data points you want your data subjects to verify. These questions should be applicable to the majority of your users, as overly specific questions will cause data subjects to fail the verification process. At least two questions are required, but we recommend adding more to ensure data subjects can choose a question they have an answer to.
Phone number will always be a required data point if the requester's email has an associated phone number in the System of Record. This question does not need to be added manually.
Once these Smart Verification questions are determined, please provide them to the DataGrail Support Team along with the associated field name in the System of Record.
Choosing a Legal Framework
Smart Verification is intended to be used on only the CPRA Legal Framework, but this can be enabled on any policy within DataGrail.
Please inform the DataGrail Support team on which policies you would like to enable Smart Verification.
Smart Verification Workflow
Smart Verification operates using a point system. Each data point a requester verifies is considered a point in the Smart Verification workflow. Each right to privacy requires a different number of data points in order for a request to become verified.
The required number of verified data points for each right to privacy is as follows:
- Access: 3 Points
- Deletion: 3 Points
- Access Categories: 2 Points
When a Data Subject submits a privacy request through a legal framework with Smart Verification enabled, they are sent an email with a link to the Smart Verification Page. Clicking this link automatically verifies the requester's email, which is considered 1 point.
Once the requester is taken to the Smart Verification page, DataGrail automatically checks the configured System of Record for a phone number associated with the verified email address. If an associated phone number is found, DataGrail requires that phone number be verified. Completing this verification grants 1 additional point.
Since most rights to privacy require at least 3 points for verification, another data point must be verified. The customer must configure at least 2 questions that expect a data point present in the System of Record as a response. Answering these questions correctly will grant additional points and will allow a Privacy Request to be verified completely. Customers can choose to add as many additional questions as they would like, giving the requester a choice on which data point they would like to verify.
The above image represents a deletion request (3 points required), in which a phone number was not verified and two additional data points need to be collected.
Once the requester acknowledges the perjury statement and selects submit, their portion of the Smart Verification process is complete. When a Request Admin logs into DataGrail, they will see this request in the Active:Wizard state. After completing step 4 of the wizard, the Request Admin now has the option to approve or reject the verification. All responses to Smart Verification questions are listed and the third column indicates whether the response matches the data point in the System of Record.
Regardless of whether each response matches the data point in the System of Record, the Request Admin has the ability to approve or reject the verification. This is often useful in cases where the response provided by the requester does not match the data point in System of Record exactly. For example, a customer may provide a date of "1-1-2021" instead of "January 1, 2021".
After step 5 of the wizard, the Smart Verification process is complete.
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.