Preflight Checks & Identity Enrichment
Before processing begins for a Privacy Request, the request is validated by a series of to ensure that it is legitimate and well-equipped to be fulfilled. During this step Transcend runs a set of customizable checks which include the following, and can be edited in the Admin Dashboard:
- Verification of other unverified identifiers, including but not limited to phone number.
- Manual checks.
- Obtaining all identifiers such as a User ID (identity enrichment).
- Anti-fraud check.
- Legal hold check.
Beyond the information collected when initiating a privacy request, you might need to retrieve additional user identifiers in order to effectively find the requestor's personal data across your data silos. For example, an identifier can be an internal user ID used by some of your internal systems or vendors. This additional information can be aquired by configurable Identity Enrichers.
A few things to know about enrichers:
- Enrichers typically require an
Input Identifier, used to help resolve the enricher, and most times one or several
Output Identifierthat will receive the data acquired through the enrichment process.
- Enrichers are configurable to run on any combination of and .
- Enrichers can define dependencies to each other, to define the order in which they will resolve.
- Custom identifiers created from the Privacy Center or via enrichers need to be verified. This can happen manually through the dashboard, or using the enricher.
- Email verification (magic link)
- Phone number verification via SMS (magic link)
- Post to a Server (Webhook)
- Notify a Person
- Region Matcher
- RegExp Match
- Auto Approve
- Legal Hold Check
- Wait Period
Privacy Request workflows come configured with email verification by default. Before a user can submit a request via the Privacy Center, they must input and verify their email address. You may also create a request on behalf of a data subject (either via the Admin Dashboard or Admin API), in which case you may bypass this verification step by attesting that you have already verified this user's identity.
You may need to identify data subjects by their phone number.
Webhooks can also be used to automatically cancel incoming Privacy Requests based on your business or legal needs, or simply put them on hold until further resolution.
If no automated service is available for an identifier to be resolved, the "Notify a Person" allows you to contact someone and ask for the username, ID, or any identifier corresponding to the existing identifiers associated with the request. You can configure the notification to run conditionally only if a user specifies another type of identifier, the
Note that the identifiers'
name that you configure here have to match with the "name" of the identifier used in your payload.
- Go to .
- Add a new enricher by clicking the blue + button in the top-right-hand corner of the "Enrichers" section.
- Select the
Notify a Personenricher and enter all the necessary information, which includes:
Title— Title of enricher.
Description— Description of enricher.
User to Notify- Transcend user or email of the person to contact for this enricher.
Input Identifier— Initial identifier that the enricher will accept. A Privacy Request will only use this enricher if any of its identifiers is the same type as the input identifier specified here. Select
Core Identifierif you want to run this step for every request.
Output Identifier— The output identifier that will be mapped from the result of this enricher.
Actions- Which data actions types (Access, Erasure, etc.) should use the enricher in their respective workflows. When not provided, this preflight step is run for all data actions.
Data Subjects- Which data subject types are relevant to the enricher. When not provided, this preflight step is run for all data subjects.
Enricher Dependency- Which enricher(s) should run prior to this one.
Requests in need of enrichment will lead to an action item being created in your Transcend dashboard, assigned to the user(s) specified in the enricher configuration. If needed, you can assign a Transcend user or a Team to the
Request Enricher Person Needs Manual Entryaction item.
You can subscribe to alerts for Identity Enrichment by clicking
Manage Subscriptionsin the top-right corner, search for the
Request Enricher Person Needs Manual Entrynotification type, and selecting the way you want to be notified (Email, Slack, etc.).
Enrichment status can be found in the
Detailstab of a pending request tab.
Click on the blue pencil icon next to the enricher to provide the required information.
The Region Matcher can be set to detect any number of countries or states originations for the subject request, and automatically set the request to a specific state, such as cancelling it or placing it on hold.
This is commonly used to reject certain privacy requests in certain jurisdictions and used in tandem with region selection that can be configured for each request type from the section of the dashboard.
The bellow example shows an enricher configured to automatically reject requests coming from US states that don't have privacy laws, and delay email for 24 hours after request is received.
Similarly to the Region Matcher, RegExp Match will run the provided
Regular Expression on the
Input Identifier, and change the status of the request when a match is found.
The screenshot below illustrates an enricher set up to automatically reject requests for which the input identifier (email) end with "@acme.com".
Identifiers collected through the Privacy Center need to be verified before the request is continued. In some situations, you may want to process the request without verifying the identifier. You can do this using the
Auto Approve enricher.
The screenshot below illustrates an Auto Approve enricher set to accept Erasure requests based on including a custom identifier of type
You might want to do so if you are not be able to verify a mac address belongs to one person, but you want to allow users to request deleting from that mac address because its tied to personal data.
You might also want to auto-approve an identifier of type name, if you are not actually leveraging it to look up data, but rather use it to communicate to your user and/or cross-referencing in the bulk respond UI.
Enrichment can be performed by querying one of your databases via the
Database enricher. For example, you could write an SQL query that maps an email address to a
User ID. Full configuration steps can be found .
The Looker enricher allows for a no-code enrichment of identifiers through your Looker Integration.
Please note that if possible, database Integration or are still the preferred method of integration, as it is preferable to enrich from a live production database. A data warehouse is a replica of the production database, and as such it is possible to see a delay in data arrival during the time when data is copied over from the production database.
If you maintain a list of users that shouldn't be automatically processed, for legal, business reasons or otherwise, you can set the
Legal Hold Check enricher to compare inbound identifiers against that list and modify its status in case of a match.
You can choose which new status should be set to the matching request by setting the
Request Status Transition field, and select an email template to send to the data subject, with the
Email Template field.
To define your Legal Hold list:
- Go to the section of your Privacy Request dashboard.
- From there, you can add identifiers to your list manually, or upload larger lists using the
- The input list for imports should be a csv file with
valueas column headers, and values:
identifier: identifier name. For example:
value: actual identifier value. For example:
firstname.lastname@example.orgYou can add any and/or multiple other types of identifiers using this method.
- Create an enricher for each identifier type that you want to check from the list of legal holds. You can configure which data subject workflows or data actions the legal hold would run on.
Wait Period preflight check can be used to force a delay between steps of your privacy request workflow. Provide the
Identifier that should trigger the wait period, as well as the
Keep in mind that enrichers can include
Dependencies to one another and thus be run in chosen sequential order, if you need to delay processing of an enricher while a database process takes place, for example.