Automated and Manual Subject Request Processing

One substantial part of data privacy regulation are Data Subject Requests (DSRs), where an end user (data subject) has the right to access, to modify, or to delete the personal information that a company holds on them. To be compliant with privacy regulation, companies must fulfill these requests or risk fines or penalties, however it's not as easy of a task as it might initially seem. Data systems are complex and your company may be storing user data in many different locations in your infrastructure and across the various tools the company utilizes for operational success. This is where Ethyca comes in to help. Ethyca is a cloud software that provides organizations with a centralized tool to manage and automate these incoming requests by providing a couple different types of connectors: Atlas connectors (to connect to your internal databases) and Data Integrations (to connect to any third party applications that may be capturing user data on behalf of your company).

By managing all of your types of connections from within Ethyca, you will also be able to maintain a more complete Data Map. Data Mapping is key for building a compliant GDPR Article 30 Record of Processing Activities (RoPA) and fulfilling CCPA's personally identifiable information disclosure. Each of the completed fields in this section will be exportable in your Ethyca Data Map. Check out our support guide on your Ethyca Data Map for additional information.

Types of Data Integrations

Currently, there is no standard to guide these third party applications on how they can provide tools to fulfill data subject access and deletion requests. Therefore, every third party application has created their own tools or processes to allow companies or end users to process these requests. Some have streamlined ways for us to programmatically submit these requests. Others have more manual methods, such as requiring a person to manually fill out an online form, sending an email to their privacy team's inbox, or even manually clicking a button inside of their application's UI.

Our goal at Ethyca is to make compliance easy for your organization, so we do the heavy lifting when it comes to figuring out how to connect to all these different types of applications and provide companies with a single management tool to keep track of subject requests and assist with processing them. Because of the uniqueness of each third party application, Ethyca has two types of Data Integrations -Automated and Manual DSR processing, both of which can be configured and managed from the Ethyca Control Panel.

What is Manual Subject Request Processing

Unlike third party applications that support data retrieval and deletion via automatable, programmatic methods, some third party applications only provide manual methods. Ethyca's Manual DSR Processing allows companies to process these types of manual steps while still managing the overall subject request from the Ethyca Control Panel.

Once you have a manual integration configured (see the "How do I configure a Manual DSR Processing Integration" section below), selecting a subject from the Processing tab of the Subject Request list will bring you to a page that represents all the places (third party applications) where subject information may reside for that subject.

30773077 30863086

The top table represents those integrations that require Manual DSR processing, whereas the bottom table represents Automated DSR processing Integrations.

Processing a Subject Access request using a Manual Integration

For a Subject Access Request (SAR), you will be prompted to click on "Begin Manual Input" for the Manual DSR Processing Integration. In this example, this is an integration with the "FarApp" application that we have titled "myManualFarApp". Clicking on "Begin manual input" will take you to a form where you can enter in the data that "FarApp" has on the subject. This will require you to access the FarApp application and find the information you have on this specific subject.

30783078

Data for this subject may be entered in two separate ways - either manually (by you manually typing in the values for PII fields, such as "Marty Mcfly" for the "Customer Name" field) or via CSV import. If you choose to upload subject data via CSV import, you may do so by selecting the "Import by CSV" button and selecting as many CSVs you need to import that data.

916916

Here are a few things to keep in mind though when choosing to import data via CSV:

  • The CSV must be structured in the following way in order for the Ethyca Platform to ingest it properly:
PII_category1,PII_category2,PII_category3,PII_category4
PII_value1a,PII_value2a,PII_value3a,PII_value4a
PII_value1b,PII_value2b,PII_value3b,PII_value4b
  • You can select more than one CSV at a time if you have multiple CSVs that
  • The PII category in the CSV must match a PII category that is configured when you set up the Manual Integration
  • Your CSV may contain many rows that reflect multiple values for a PII category, if applicable.

After inputting the information you have on the subject, you can press the Save button to make sure that the information will be included in the subject's Download package they receive after you finish processing this request. Notice that once you have entered in the subject's data, the "Begin manual input" button changes to a "Review" button where you maybe review the information at any time before completing the DSR.

30863086

When you have verified that all the information is complete, select the Complete DSR button to finalize the information that will be sent to the subject in the Download Package.

Processing an Erasure request using a Manual Integration

For processing a Right to Forget or Right to be Forgotten (RTF) request, select the subject from the Subject Request list. Once you have deleted the subject's information in FarApp, you can select which PII category has been deleted by checking the box to the right of the PII category.

27322732

Upon pressing Save, the screen will prompt you to confirm that you have processed the request appropriately. Once you are finished ensuring that all the PII is removed from each manual integration you have, you may to select "Complete DSR" which will mark the subject request as completed.

When to use Manual DSR Processing Integrations

You may want to use a Manual DSR Processing Integration if:

  • Your business is keeping an inventory of systems for laws such as GDPR, CPRA, etc.
  • Your business has set a retention policy <30 days within the 3rd party system or database
  • The 3rd party system has no API's available, so DSR fulfillment occurs manually outside of Ethyca
  • Your business has chosen to integrate some, but not all internal databases with Ethyca
  • Your business has chosen to integrate some, but not all 3rd party systems with Ethyca