Preflight Checks & Identity Enrichment

Before processing begins for a Privacy Request, the request is validated by a series of preflight jobs to ensure that it is legitimate and well-equipped to be fulfilled. During this step Transcend runs a set of customizable checks which include the following, and can be edited in the Admin Dashboard:

  • Email verification.
  • Verification of other unverified identifiers, including but not limited to phone number.
  • Manual checks.
  • Obtaining all identifiers such as a User ID (identity enrichment).
  • Anti-fraud check.
  • Legal hold check.

Beyond the information collected when initiating a privacy request, you might need to retrieve additional user identifiers in order to effectively find the requestor's personal data across your data silos. For example, an identifier can be an internal user ID used by some of your internal systems or vendors. This additional information can be aquired by configurable Identity Enrichers.

A few things to know about enrichers:

  • Enrichers typically require an Input Identifier, used to help resolve the enricher, and most times one or several Output Identifier that will receive the data acquired through the enrichment process.
  • Enrichers are configurable to run on any combination of Data Actions and Data Subjects.
  • Enrichers can define dependencies to each other, to define the order in which they will resolve.
  • Custom identifiers created from the Privacy Center or via enrichers need to be verified. This can happen manually through the dashboard, or using the Auto Approve enricher.

Preflight checks can be created under the Privacy Requests -> Identifiers page of the Admin Dashboard. Click the "+" button under the Enrichers section to create one of the following types of preflight checks:

  1. Email verification (magic link)
  2. Phone number verification via SMS (magic link)
  3. Post to a Server (Webhook)
  4. Notify a Person
  5. Region Matcher
  6. RegExp Match
  7. Auto Approve
  8. Database
  9. Looker
  10. Legal Hold Check
  11. Wait Period

Privacy Request workflows come configured with email verification by default. Before a user can submit a request via the Privacy Center, they must input and verify their email address. You may also create a request on behalf of a data subject (either via the Admin Dashboard or Admin API), in which case you may bypass this verification step by attesting that you have already verified this user's identity.

Configuration steps for email verification can be found here.

You may need to identify data subjects by their phone number.

SMS verification is available in Transcend if you own a Twilio API key, and configuration steps can be found here.

If you need to contact a web service in order to resolve an identifier (username, internal ID, etc.), Transcend supports Webhooks in order to collect that additional information.

Webhooks can also be used to automatically cancel incoming Privacy Requests based on your business or legal needs, or simply put them on hold until further resolution.

The "Post to a Server" enricher can be configured by following the steps described here.

If no automated service is available for an identifier to be resolved, the "Notify a Person" allows you to contact someone and ask for the username, ID, or any identifier corresponding to the existing identifiers associated with the request. You can configure the notification to run conditionally only if a user specifies another type of identifier, the input identifier.

Under the Privacy Requests section, Identifiers, make sure each of the identifiers you plan to return is listed. If not, use the + button to define new identifiers.

Note that the identifiers' name that you configure here have to match with the "name" of the identifier used in your payload.

  1. Go to Privacy Requests -> Identifiers.
  2. Add a new enricher by clicking the blue + button in the top-right-hand corner of the "Enrichers" section.

  1. Select the Notify a Person enricher and enter all the necessary information, which includes:
  • Title — Title of enricher.
  • Description — Description of enricher.
  • User to Notify - Transcend user or email of the person to contact for this enricher.
  • Input Identifier — Initial identifier that the enricher will accept. A Privacy Request will only use this enricher if any of its identifiers is the same type as the input identifier specified here. Select Core Identifier if you want to run this step for every request.
  • Output Identifier — The output identifier that will be mapped from the result of this enricher.
  • Actions - Which data actions types (Access, Erasure, etc.) should use the enricher in their respective workflows. When not provided, this preflight step is run for all data actions.
  • Data Subjects - Which data subject types are relevant to the enricher. When not provided, this preflight step is run for all data subjects.
  • Enricher Dependency - Which enricher(s) should run prior to this one.

  1. Click Create Enricher.

  2. Requests in need of enrichment will lead to an action item being created in your Transcend dashboard, assigned to the user(s) specified in the enricher configuration. If needed, you can assign a Transcend user or a Team to the Request Enricher Person Needs Manual Entry action item.

  1. You can subscribe to alerts for Identity Enrichment by clicking Manage Subscriptions in the top-right corner, search for the Request Enricher Person Needs Manual Entry notification type, and selecting the way you want to be notified (Email, Slack, etc.).

  2. Enrichment status can be found in the Details tab of a pending request tab.

Click on the blue pencil icon next to the enricher to provide the required information.

The Region Matcher can be set to detect any number of countries or states originations for the subject request, and automatically set the request to a specific state, such as cancelling it or placing it on hold.

This is commonly used to reject certain privacy requests in certain jurisdictions and used in tandem with region selection that can be configured for each request type from the "Request Settings" section of the dashboard.

The bellow example shows an enricher configured to automatically reject requests coming from US states that don't have privacy laws, and delay email for 24 hours after request is received.

Similarly to the Region Matcher, RegExp Match will run the provided Regular Expression on the Input Identifier, and change the status of the request when a match is found.

The screenshot below illustrates an enricher set up to automatically reject requests for which the input identifier (email) end with "@acme.com".

Identifiers collected through the Privacy Center need to be verified before the request is continued. In some situations, you may want to process the request without verifying the identifier. You can do this using the Auto Approve enricher.

The screenshot below illustrates an Auto Approve enricher set to accept Erasure requests based on including a custom identifier of type MAC Address. You might want to do so if you are not be able to verify a mac address belongs to one person, but you want to allow users to request deleting from that mac address because its tied to personal data.

You might also want to auto-approve an identifier of type name, if you are not actually leveraging it to look up data, but rather use it to communicate to your user and/or cross-referencing in the bulk respond UI.

Enrichment can be performed by querying one of your databases via the Database enricher. For example, you could write an SQL query that maps an email address to a User ID. Full configuration steps can be found here.

The Looker enricher allows for a no-code enrichment of identifiers through your Looker Integration.

Please note that if possible, database Integration or a Webhook Integration are still the preferred method of integration, as it is preferable to enrich from a live production database. A data warehouse is a replica of the production database, and as such it is possible to see a delay in data arrival during the time when data is copied over from the production database.

Note that you can declare a dependency on a Wait Period enricher in order to delay processing and give time to ensure ETL is run before enriching the request.

Full configuration steps for the Looker enricher can be found here.

If you maintain a list of users that shouldn't be automatically processed, for legal, business reasons or otherwise, you can set the Legal Hold Check enricher to compare inbound identifiers against that list and modify its status in case of a match.

You can choose which new status should be set to the matching request by setting the Request Status Transition field, and select an email template to send to the data subject, with the Email Template field.

To define your Legal Hold list:

  1. Go to the Privacy Requests -> Legal Holds section of your Privacy Request dashboard.
  2. From there, you can add identifiers to your list manually, or upload larger lists using the Import button.
  3. The input list for imports should be a csv file with identifier and value as column headers, and values:
  • identifier: identifier name. For example: email
  • value: actual identifier value. For example: mike@transcend.io You can add any and/or multiple other types of identifiers using this method.
  1. Create an enricher for each identifier type that you want to check from the list of legal holds. You can configure which data subject workflows or data actions the legal hold would run on.

The Wait Period preflight check can be used to force a delay between steps of your privacy request workflow. Provide the Identifier that should trigger the wait period, as well as the Expiration Duration.

Keep in mind that enrichers can include Dependencies to one another and thus be run in chosen sequential order, if you need to delay processing of an enricher while a database process takes place, for example.