Data subjects and data actions

Configure the way your organization responds to Data Subject Requests

What is a DSR Workflow?

A DSR Workflow is a procedure for how your organization handles Data Subject Requests. With Transcend Privacy Requests, you can choose to customize your DSR workflow along several dimensions depending on things like how much human verification your company chooses to keep in the loop, what DSR types you choose to process, and how long after receiving an erasure request your company chooses to permanently erase the information in question.

The following sections can be configured in the Admin Dashboard on the "Data Subject Requests" settings tab.

Data Subjects

This section is about configuring the "who" of your DSR Workflow. A Data Subject is a person whose data you control or process. In the context of GDPR, the term data subject refers to European human citizens, and does not include such entities such as companies or collections of people.

A single company may collect and/or process the data of a number of different types of data subjects. These data subjects could fall into types such as Customers, Employees, Contractors, Job Applicants, etc. Each of these different data subject types might have data stored and processed by different parts of your organization. Transcend helps to manage this abstraction by allowing you to specify and manage your organization's "Data Subjects" in the Request Settings → tab of the admin dashboard where you can specify such things as different login flows for different Data Subject types authenticating to the Privacy Center.

Right now, Data Subject types are custom configured on our end, but you would like to add additional data subjects, please email us at [email protected].

Data Actions

This is about the "what" of a DSR Workflow and describes the operation that your customers might request you do with their data.

Currently Transcend the following actions that are custom-tuned to be compliant with key regulations under GDPR and Full Text: CCPA.

Data Action

Description

Event Key

Access

A request to access/download/export in machine-readable format.

ACCESS

Erasure

A request to be forgotten and removed from your systems.

ERASURE

Opt Out of Communication/Marketing Emails

A request to be blocklisted from future communications. An example of this is when someone unsubscribes from all marketing emails.

CONTACT_OPT_OUT

Opt Out of Tracking

A request to not be tracked.

TRACKING_OPT_OUT

Opt Out of Automated Decision Making

A request to prevent automated decision making about them.

AUTOMATED_DECISION_MAKING_OPT_OUT

Opt Out of Sale of Information

A request to stop the sale of their personal information.

SALE_OPT_OUT

Update Inaccuracies

Customers request that you correct information you have on them. This may be something as simple as "change the address you have for me on record".

RECTIFICATION

Restrict Processing

Customers request that you restrict the processing of their data. An example of this may be due to a court order.

RESTRICTION

Configuring a wait period or an erasure approval requirement

You can enable automatic erasure fulfillment with a wait period. This gives time for the user or your team to cancel the erasure request. You can also disable automatic fulfillment and require an approval. You can make these changes by going to Settings -> Data Subject Requests. Once there, click the edit icon on "Erase" and you'll see a settings view.

We currently support two types of wait periods:

Allow for the Data Subject to download an archive of their data before deleting their account

When someone is deleting their account, you may want to give them the option to back up the data before deleting it for good. When this feature is in use the workflow will look like:

a) compile data for the user across the datamap
b) after request is approved, send the user a DSAR download link and wait 2 weeks before deleting the account. The Data Subject has the option to cancel their request at any time on the Privacy Center.
c) After the 2 week delay period, the erasure process will begin. At this time time, the user will no longer be able to download their data or cancel their request.

To enable this feature ensure the setting named "Begin erasure immediately and prevent file downloads" is unchecked. If you turn on this checkbox, there will be no delay period, and the request will begin to erase immediately after the request is approved.

Arbitrary Delay a DSR

For security reasons, you may want to wait to delete someones account for a day, a week or even longer. Delaying a request will allow you to send an email notification to the data subject explaining a reason in which they may want to cancel their request. To enable automatic erasure request fulfillment, enable "Delay After Verification" and choose a wait period in days.

Configure Approval Step

To disable automatic erasure fulfillment and require an approval step before performing an erasure, disable "Delay After Verification".

To require an approval before sending the final report to the data subject, enable "Approval Before Send". Note that "Approval Before Send" only affects the final report, and not the actual data erasure. Use "Delay After Verification" to configure the data erasure step.