Create and manage subject rights requests for data beyond Microsoft 365 (preview)
Subject rights requests for data beyond Microsoft 365 (preview) support two types of requests:
Export: An export of a data subject’s personal data found in the organization’s data landscape.
Delete: The deletion of all the personal data of a data subject that’s located within the organization’s data landscape.
Requests can be created by two means:
A data subject can complete and submit an online request form created by your organization.
A user in your organization can manually create a request on behalf of a data subject.
This article explains how requests can be created, what a request’s progress stages are, and how to manage requests all the way through to fulfillment.
Requests created from a request form
A data subject outside of your organization—for example, a customer or a former employee—can make a data subject request directly to your organization using an online request form that you create and host.
While Subject Sights Requests for data beyond Microsoft 365 is in preview, we suggest creating subject rights requests using test or artificial data to prevent unnecessary collection or deletion of personal information.
Manually create a request
A user in your organization can create a request when, for example, a data subject contacts your organization requesting an export or deletion of their personal data. To create a request, a user enters a request builder to input basic details about the data subject, and then connects the request to a template, which determines how the request is fulfilled. All templates can be found on the Templates tab of the Request forms and template page.
Tip
Before you can create a request, you need to first build a template.
To create a subject rights request manually:
On the Request management page, select New request to open the request builder.
On the Basic details page, select the template to use for the request, then select Next.
On the Request form page, enter the required details about the data subject.
Select Submit.
To receive a subject rights request from the portal:
On the Request forms page, select the template to use for the request.
Select the Privacy portal link to go to your organization's online privacy portal.
Enter the required details and complete the CAPTCHA challenge.
Select Submit.
The request is created in the system and you arrive at the request’s details page. The request is now in the process stage of Validating identity. Visit View stage progress to understand the request's stages.
Request management page and request details page
The Request management page lists all your requests with basic information such as name, status, its current stage, the next required actions, the response deadline, and the request’s contact, or owner. You can filter the table to view requests by type, state, deadline, or template contact.
Each request has its own details page. The request details page is where you track and manage the workflow of the request. Select a request from the list on the Request management page to open the request’s details page.
View stage progress and basic status on the Overview tab
Each request goes through different stages as it progresses toward completion. On a request’s details page, the Overview tab features a progress bar that shows the stages of the request. A green checkmark indicates a completed stage, blue loading icon indicates the stage is in progress, and a gray circle with a line through it indicates the stage doesn’t apply. The stages are detailed below:
Not started: All requests begin at this stage; indicates that the system is beginning the process of validating identity.
Identity validation: If the request is created using a template that designates a manual identity validation, an identity validation task is created for a data engineer and a blue loading icon displays until the task is completed by a data engineer. A green check mark is displayed when the manual identity validation task is complete. If the request is created manually and the template doesn’t require manual identity validation, it’s assumed that the request creator has validated the data subject’s identity, and this step displays a gray circle with a line through it.
Analyzing data: Whatever classification or sensitive info type (SIT) you selected in the request form or template, the system searches for matches to those classifications or SITs within assets in the Data Map. When assets are identified, they’re listed under The Scope section on the Overview tab shows the data subject values for the required classifications and SITs. When assets are identified, they're created as tasks for the asset owner and listed on the Task tab. The asset owner must now review the asset to find the data subject’s personal information with the asset.
Working on tasks: Tasks have been assigned and are in progress.
Approving tasks: All tasks are complete and ready for approval.
Ready to respond: All tasks are approved and the request is ready to be routed back to the data subject.
Note
Responding to the data subject happens outside of Priva by a method determined by your organization.
Tasks
When the data analysis determines that a classification or SIT related to a request has been found in a Data Map asset, a task gets assigned to the asset’s owner, who is typically a data engineer in your organization. The owner receives an email notifying them that a task related to a subject rights request has been assigned to them.
The asset owner’s job is now to look into the asset to see if it contains the personal data of the data subject related to the request. The Scope section on the request’s Overview tab indicates the specific personal data that the owner should look for.
Note
Looking at a data asset for the data subject’s personal data happens outside of Priva.
Some assets don’t list an owner. If a task is created for an asset without an owner, you can assign an owner. On the Tasks page, select a task to open its details page. On the Data owners tab, select Edit data owners, search by users to select a user, then select Confirm.
Tasks page
All tasks are listed on the Tasks page with basic properties and status information. Columns can be filtered to customize your view or search for specific tasks; for example, to show all tasks assigned to certain owners, or tasks with a certain status state, such as Not started or In progress. Tasks for each request are also found on the request details page’s Tasks tab.
Working on tasks
To begin working on a task, the owner goes to the Task page and searches for their assigned task. Select the task name to open a flyout pane with details about the task.
The first step is for the owner to claim the task. On the Details tab of the flyout pane, select Claim task. The task’s status changes from Not started to In progress. The owner is now ready to start working on the task by following these steps:
On the task’s flyout pane, go to the Scope tab to view which assets and which data subject values are in scope for the request.
Assets in scope: Each asset listed is hyperlinked. Select the asset link to go directly into the asset in Microsoft Purview Unified Catalog.
Classifications in scope: See the classifications that are in scope for the request, and the values for each classification that the owner needs to look for. For example, it might list the classification of “All Full Names” with a value next to it of “Jane Doe.”
For export requests:
Go into each asset to find the values for each classification. If the personal data is found in the asset, extract that data into a CSV file.
At Related data on the task’s flout pane, select Upload and upload the CSV file. You can view the content of the CSV file after uploading it by selecting the view icon next to the upload date. Select the view icon again to hide the content.
For delete requests: Go into each asset to find the values for each classification. If the personal data is found in the asset, carry out the deletion of that data.
When done either extracting and uploading the CSV file or deleting the data, select Mark as complete to complete the task. The status for the task changes to ** Completed; awaiting approval**.
If the data subject’s personal data isn’t found
If the asset owner doesn't find the data subject’s information in the asset, select Not applicable at the bottom of the asset’s flyout pane. The status for the task changes to Not applicable.
Approving tasks after completion
When work is completed on a task, the template contact must now approve the task. Approving all tasks advances the request to the final stage of responding to the data subject. To approve a task:
Select a request from the Request management page to open its details page.
On the Tasks tab, select the box next to the task’s name. The privacy officer should inspect the data to ensure that the data collected matches the identity of the data subject, and that no inappropriate data (such as, another data subject’s information, or other confidential information) was inadvertently captured in the CSV file.
Approve indicates that the work item was reviewed and fulfilled correctly.
Reject indicates that the work item was reviewed and needs to be updated before considered approved. The task owner is notified, and the task’s status changes to Rejected. The data engineer should go back and pull the correct data, and reupload a CSV file to the task, then Mark as complete. The privacy officer, or request owner, reviews the task again for approval.
Once all tasks in a request are completed and approved, the privacy officer (the owner listed as the contact for the request) receives an email indicating that all tasks for the request are completed and awaiting approval. The request’s stage changes to Ready to respond.
Responding to requests and downloading export packages
Responding to the data subject happens outside of Priva. The privacy officer responds to the data subject by transmitting the data the subject’s export package, or confirming that their data has been deleted from the organization’s data assets.
For export requests:
- On the request details page, go to the Packages tab.
- Select Download. The package downloads as a .zip file containing all the CSV files that were imported for each task.
- The privacy officer provides the .zip file to the data subject to complete the export request.
For delete requests:
The privacy officer contacts the data subject and informs them that all their personal data has been identified and deleted within their systems, and the subject rights requests has been completed.
Completing a request
When all tasks are completed and approved and the data subject has been notified that the request has been fulfilled, open the request details page and select Mark as complete in the upper right corner. The request status is now Complete. The task remains in the system for 180 days.