Data subjects and data actions
A DSR Workflow is a procedure for how your organization handles Data Subject Requests. With Transcend Privacy Requests, you can choose to customize your DSR workflow along several dimensions depending on things like how much human verification your company chooses to keep in the loop, what DSR types you choose to process, and how long after receiving an erasure request your company chooses to permanently erase the information in question.
The following sections can be configured in the Admin Dashboard on the "Request Settings" tab in Privacy Requests.
This section is about configuring the "who" of your DSR Workflow. A Data Subject is a person whose data you control or process. In the context of GDPR, the term data subject refers to European human citizens, and does not include such entities such as companies or collections of people.
A single company may collect and/or process the data of a number of different types of data subjects. These data subjects could fall into types such as Customers, Employees, Contractors, Job Applicants, etc. Each of these different data subject types might have data stored and processed by different parts of your organization. Transcend helps to manage this abstraction by allowing you to specify and manage your organization's "Data Subjects" in the Request Settings → tab of the Admin Dashboard where you can specify such things as different login flows for different Data Subject types authenticating to the Privacy Center.
Right now, Data Subject types are custom configured on our end, but you would like to add additional data subjects, please email us at support@transcend.io.
This is about the "what" of a DSR Workflow and describes the operation that your customers might request you do with their data.
In Transcend the following actions that are custom-tuned to be compliant with key regulations under GDPR and Full Text: CCPA.
| Data Action | Description | Event Key |
|---|---|---|
| Access/Download | A request to access/download/export in machine-readable format. | ACCESS |
| Erasure/Deletion | A request to be forgotten and have all personal data removed from your systems. | ERASURE |
| Opt Out of Communication/Marketing | A request to be block-listed from future communications. An example of this is when someone unsubscribes from all marketing emails or SMS. | CONTACT_OPT_OUT |
| Opt in to Communication/Marketing | A request to opt a user into communication or marketing channels. | CONTACT_OPT_IN |
| Opt Out of Tracking/Analytics | A request to not be tracked. | TRACKING_OPT_OUT |
| Opt in to Tracking/Analytics | A request to re-enable tracking. | TRACKING_OPT_IN |
| Opt Out of Sale/Share of Data | A request to stop the sale or share of personal information. | SALE_OPT_OUT |
| Opt in to Sale/Share of Data | A request to opt back in to the sale or share of personal information. | SALE_OPT_IN |
| Opt Out of Automated Decision Making | A request to opt out of automated decision making. | AUTOMATED_DECISION_MAKING_OPT_OUT |
| Opt in to Automated Decision Making | A request to opt back in to automated decision making. | AUTOMATED_DECISION_MAKING_OPT_IN |
| Opt Out of Custom Purpose | An opt out for a custom type of request purpose. | CUSTOM_OPT_OUT |
| Opt in to Custom Purpose | An opt in for a custom type of purpose. | CUSTOM_OPT_IN |
| Opt Out of the Use of Sensitive Information | A request to limit the usage of sensitive information, a requirement under the CPRA. | USE_OF_SENSITIVE_INFORMATION_OPT_OUT |
| Opt in to the Use of Sensitive Information | A request to opt back into the use of sensitive information. | USE_OF_SENSITIVE_INFORMATION_OPT_IN |
| Rectification/Update Inaccuracies | A request to correct any inaccurate records. | RECTIFICATION |
| Restriction of Processing | A request to pause data processing activities. | RESTRICTION |
| Business Purpose Report | A request for a business report that describes which of your data we collect and for what purposes we use that data. | BUSINESS_PURPOSE |
| Place on Legal Hold | Place a particular person on legal hold by freezing access to their accounts. | PLACE_ON_LEGAL_HOLD |
| Remove from Legal Hold | Remove existing legal holds on a person. | REMOVE_FROM_LEGAL_HOLD |
You can enable automatic erasure fulfillment with a wait period. This gives time for the user or your team to cancel the erasure request. You can also disable automatic fulfillment and require an approval. You can make these changes by going to Request Settings. Once there, click the edit icon on "Erasure" and you'll see a settings view. We currently support two types of wait periods:
When someone is deleting their account, you may want to give them the option to back up the data before deleting it for good. When this feature is in use the workflow will look like:
a) compile data for the user across the integrations b) after request is approved, send the user a DSAR download link and wait 2 weeks before deleting the account. The Data Subject has the option to cancel their request at any time on the Privacy Center. c) After the 2 week delay period, the erasure process will begin. At this time time, the user will no longer be able to download their data or cancel their request.
To enable this feature ensure the setting named "Begin erasure immediately and prevent file downloads" is unchecked. If you turn on this checkbox, there will be no delay period, and the request will begin to erase immediately after the request is approved.
For security reasons, you may want to wait to delete someones account for a day, a week or even longer. Delaying a request will allow you to send an email notification to the data subject explaining a reason in which they may want to cancel their request. To enable automatic erasure request fulfillment, enable "Delay After Verification" and choose a wait period in days.
To disable automatic erasure fulfillment and require an approval step before performing an erasure, disable "Delay After Verification".
To require an approval before sending the final report to the data subject, enable "Approval Before Send". Note that "Approval Before Send" only affects the final report, and not the actual data erasure. Use "Delay After Verification" to configure the data erasure step.