Reviewing the Data Subject Request (DSR) Package
Learn more about the type of PII available in a DSR package
Ethyca automates the processing of different privacy requests across your internal and external data systems via Atlas and connections with our various API integrations. One such request, the "Subject Access Request", dictates that users have the right to see the data that your business has on them. When you approve a "Subject Access Request" (SAR) in Ethyca's Control Panel, Ethyca orchestrates the retrieval of that data across your various connected systems and delivers it to the user in an email containing a URL with a downloadable ZIP file.
The subject will receive an email titled "Download your data package from <Organization Name>" and be able to download their DSR by clicking the download button.
The subject will then see a new ZIP file in their email titled "subject-request-package", which will then convert to a folder.
If the subject does not download the package within the configured time period, the download link will direct to a page with the following message:
Your download URL has expired. You may re-request this from the organization directly by
clicking below. <LINK TO PRIVACY CENTER>
This time period expiration can be configured by your organization when you deploy DSR-S. The default expiration time period is 48 hours.
When your subject opens the subject request package, they'll see a consolidated "MyData.html" file with their personal data returned from each system in the "Your Data Archive" folder.
If you have Ethyca Atlas and Third Party Integrations configured, personal data from each of these integrations and connections will be returned in the Data Subject Request package.
When your subject clicks on the "MyData.html", they will be brought to a URL in a new window, which shows a categorized view of the personal information your company holds about them.
The first three categories contain the information Ethyca retains as a sub-processor:
Let's look at an example of data returned from a Third Party Integration partner like Hubspot. If you click on any Category, you'll have the option to view more data in the folder.
Hubspot returns email list subscription personal information, so we can click on the "View Data" action icon that corresponds to "Subscription" to see data returned.
In the first window, you'll see the initial record the subscription pertains to - in this case, the subject's user ID. For more detail, you can drill down one level further by selecting "View Data" once more.
Now you will see a more comprehensive package of subject information held in Hubspot's subscription event.
When reading the DSR package, it is important to note each label can be modified by editing the Integration's DSR Customization tab. This is where you can further customize what the subject sees in the download package. You can also modify what is returned in the package by unselecting "User Can Download." When you run your next request, you will be able to visualize the changes live.
Now let's look at an example of data returned from Atlas.
Once you've connected a database accessible to Atlas, we can start identifying where PII lives in each database. In the Atlas UI, you are able to define an associated "Label" for each database column.
Once the mapping exercise is complete, and customer friendly labels have been added, the final data subject download package will show any customized labels added into Atlas.
The tables and columns that you see in the Atlas UI come from a YAML file that Ethyca's team uploads for you on your behalf. The YAML file contains a consolidated list of all the tables and columns in your database that contain PII. See below an example of how the labels in the Download Subject Request Package are derived from the YAML.
The top level category and label are used to demarcate a user's personal data from the table within this database (In this example, it is the "Purple Llama" table that contains information about users).
Names/Labels within the second level, properties, correspond to the individual elements of PII that are stored within this table.
If no label is provided, then the name will be used as the label in the Data Subject Request Package.
Support
Please contact [email protected] if you have any questions regarding your account.
Updated almost 2 years ago