Privacy Request Policies
Privacy Request Policies govern what Privacy Rights are available to Data Subjects on the Privacy Request Center based on their detected location. Privacy Request Policies typically align with regulations such as GDPR and CPRA to ensure each individual's privacy rights are respected and fulfilled.
DataGrail provides pre-built Request Policies for common privacy regulations across the globe to make maintaining compliance easy.
Viewing Request Policies
Opening the Request Policies page in the left-hand menu of DataGrail will allow you to view all Privacy Request Policies configured on your account. This page is made available for the Super Admin, Request Admin, and Request Agent user roles.
This page provides a high-level overview of the policies enabled on your account, whether they are active, and the Privacy Rights they afford.
Request Policy Details
To view the details for a particular Request Policy, select the name from the table. Privacy Request Policies offer multiple configuration options to support robust privacy programs and organizations operating in around the world.
The fields on the Privacy Request Policy Details page represent the following:
| Field Name | Description |
|---|---|
| Policy Status | Whether the policy is currently Active or Inactive as well the last date it was in use. |
| Internal Name | The name of the policy as displayed to internal DataGrail users. |
| External Name | The name of the policy as displayed to on the Intake Form to Data Subjects. |
| Authorized Agent | Whether or not Authorized Agent Requests can be submitted under this policy. |
| Verification Method | The verification method configured on this policy, either Email or Smart Verification. |
| Default Privacy Policy | Whether the policy is used as the default. The Default Policy is always applied to data subjects that reside in a location not explicitly covered by another policy. |
| Request Duration | How long your company has to fulfill this privacy request. |
| Extension Period | How long your company can extend the deadline to fulfill a privacy request after an extension is filed. |
| Privacy Rights | The Privacy Rights available on this policy, which can include: Access, Access Categories, Third Party Disclosure, Deletion, Transfer, Object to Processing, and Update Inaccuracies. |
| Locations | The locations in which this Request Policy is applied. |
To add, remove, or modify Privacy Request Policies on your account, please contact support@datagrail.io
Application of Request Policies
The primary intent of a Privacy Request Policy is to govern what Privacy Rights are offered to data subjects based on their automatically detected location.
Policy Assignment
Request Policies can be associated with granular location like a state, a broad location like a country, or both! When a Data Subject visits your form, the policy with the most granular location will always be applied.
For example, if a Data Subject from California visits your Intake Form, the CPRA Request Policy associated with California will always be applied over the US Standard Request Policy associated with the United States because it is more specific.
If the Data Subject is geolocated to Connecticut, but no specific policy for this state exists, the broader US Standard Request Policy will be applied.
If the Data Subject's location does not fall under any location-specific Request Policies, the Global Privacy Rights (Default Policy) will always be applied.
The Data Subject has the ability to change their location on the Privacy Request Center at any time, allowing a different Request Policy to be applied.
Displaying Privacy Rights
The geolocated Request Policy is applied immediately when a Data Subject loads your Intake Form. When they view this page for the first time, they will only be shown the Privacy Rights configured for their location.
If a Request Policy exists with no assigned Privacy Rights, the Data Subject will be shown a message indicating that their location is not supported.
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.