Data Subject Requests (DSRs)

  1. Introduction to DSRs
  2. Configuring DSR Settings
  1. Building a DSR Workflow
  1. Managing Privacy Requests
  1. Conclusions

Introduction to Data Subject Requests

Data Subject Requests (DSRs) are requests made by individuals to exercise their data privacy rights, such as accessing their personal data, erasing it, rectifying inaccuracies, objecting to processing, requesting data portability, and more. These requests are a crucial part of ensuring privacy compliance within organisations, and TrustWorks provides a powerful platform for managing and processing DSRs.

TrustWorks DSR functionality helps organisations to comply with data privacy regulations by providing a centralised environment where cross-functional teams can collaborate seamlessly. This includes the privacy team, as well as other departments such as IT, legal, and customer support. By prioritising privacy and utilising TrustWorks' features, organisations can mitigate risks, ensure compliance, and avoid potential fines.

In this guide, we will explore the Data Subject Requests functionality in TrustWorks and its significance in privacy compliance. We will delve into the configuration settings related to DSRs, discuss the available modules for managing DSRs, and highlight the benefits of using TrustWorks' collaborative workflow for handling DSRs. By leveraging TrustWorks' capabilities, organisations can streamline the management of DSRs, efficiently fulfil requests, and provide individuals with control over their personal data.

Configuring DSR Settings in TrustWorks

Configuring the settings for Data Subject Requests (DSRs) in TrustWorks is an essential step in establishing an efficient and compliant DSR workflow. TrustWorks offers a range of configurable settings that allow organisations to customise the DSR process to align with their specific requirements and regulatory obligations.

To configure the DSR settings, navigate to Global Settings > Data Subject Request.

Request Types

TrustWorks allows you to configure the request types that your organisation will be performing. These request types define the specific actions that individuals can request regarding their personal data. Common request types include access, erasure, rectification, object processing, restriction, no auto decisions, portability, and others. By configuring the request types, you ensure that the DSR workflow within TrustWorks aligns with the applicable data privacy regulations and addresses the specific rights individuals have over their data.

Note: Automated DSR workflows won’t be executed for inactive request types. Please make sure to select all that apply.

Categories of Individuals

To facilitate the acceptance and categorisation of DSRs, TrustWorks enables the configuration of categories of individuals. These categories represent different groups of individuals who may submit DSRs to your organisation. Examples of categories include employees, prospects, providers, candidates, visitors (office), visitors (online), and customers. By configuring the categories of individuals, you can accurately classify and manage incoming DSRs based on the relationship between the individuals and your organisation.

Note: Same as for request types, automated DSR workflows won’t be executed for inactive categories of individuals. Please make sure to select all that apply.

For more info, please refer to Data Practices: Categories of individuals

Input Identifiers

TrustWorks allows you to configure the input identifiers that prompt data subjects to provide relevant personal data when submitting a DSR. These identifiers can include fields such as email addresses, file attachments, or other specific information required to process the request effectively. By configuring the input identifiers, you streamline the DSR submission process, ensuring that data subjects provide the necessary details to facilitate accurate and timely responses.

You can also adjust, delete and create new identifiers for your DSRs to better suit your needs.

Other Configurations

In addition to the essential settings, TrustWorks offers further configurations to tailor your Data Subject Request (DSR) workflow precisely to your organisation's needs.

  • Include Personal Data in Communication: This option allows you to include users' personal information in the communication channel. By enabling this feature, you can seamlessly share relevant data with stakeholders during the DSR process, promoting transparency and efficient collaboration.
  • DSR External ID: You have the flexibility to specify a DSR External ID, or TrustWorks can automatically assign one for you. This ID helps uniquely identify each DSR, streamlining tracking and reference within your workflow.

With these versatile configurations, TrustWorks ensures your DSR workflow aligns with your specific business requirements while adhering to data privacy regulations. You can optimise communication, streamline data sharing, and efficiently manage DSRs, all within a secure and privacy-aware environment.

Building a DSR Workflow

Workflows are the backbone of our Privacy Collaboration Platform, providing a seamless way to automate and simplify the execution process of Data Subject Requests (DSRs). With Workflows, organisations can efficiently manage privacy compliance while fostering collaboration between Privacy, Legal, and other teams.

DSR Execution Process

In TrustWorks, the DSR execution process is divided into five stages:

  1. Receive Request: This stage involves receiving the Data Subject Request from the individual, which could be through various intake channels.
  2. Verify Identity: During this stage, the organisation verifies the identity of the data subject making the request to ensure its legitimacy.
  3. Execute Request: Once the request is verified, the organisation processes the request according to the data privacy regulations and the specific rights the data subject is exercising. This could involve accessing, rectifying, erasing, or providing a copy of the data, among other actions.
  4. Complete and Send Report: After fulfilling the request, the organisation completes the process and sends a report to the data subject to communicate the actions taken.
  5. Close Request: After fulfilling the request and sending the report, the organisation closes the request, concluding the DSR execution process.

In TrustWorks, building a DSR Workflow is a straightforward process that enables you to create efficient and automated workflows tailored to your organisation's specific needs.

Workflow Configuration

Before you can build a DSR workflow in TrustWorks, you will need to configure the following settings:

  • Workflow Name: Give your workflow a clear name to help you navigate the workflows more efficiently later on.
  • Context: Choose between DSR Execution or Data Mapping, as each workflow can only have one context. The context defines the purpose of the workflow, whether it's handling the execution of Data Subject Requests or managing data mapping processes.

  • Data Request Type: Select one or multiple DSR types that your workflow will handle. These request types encompass actions such as Access, Rectification, Erasure, Restriction, Portability, No-auto-decisions, Object processing, and Other. You can manage these request types in Global Settings under Data Subject Requests.

    Note: To simplify the creation and management of your workflows, it's recommended to select only one DSR type per workflow, ensuring clear focus and streamlined execution.

  • Subject Types: Choose one or multiple categories of individuals for whom your workflow will accept DSRs. These categories, such as customer, prospect, candidate, employee, provider, visitor, and other, can be configured in Global Settings under Data Practices > Categories of Individuals.

With the prerequisites in place, you're ready to create a DSR Workflow in TrustWorks. Here's a step-by-step guide to help you get started:

Triggers

Triggers are events that initiate a workflow. TrustWorks offers a variety of triggers, including:

  1. Widget Triggers: Initiate workflows directly from your website or application using our embedded widget. For example, add a "Request Data Access" button on your website to allow data subjects to trigger the DSR workflow effortlessly.
  2. API Triggers: Programmatically initiate workflows using TrustWorks' API. Integrate TrustWorks with your applications or systems to trigger DSR workflows automatically based on specific events or actions, streamlining the DSR process.
  3. Zendesk Triggers: Automate workflow initiation within the Zendesk platform. When a Data Subject Request is created as a ticket in Zendesk, a trigger can initiate the corresponding DSR workflow in TrustWorks, ensuring prompt and efficient DSR execution.
  4. Event Triggers: Initiate the workflow when a Data Subject Request is created. For example, when a data subject submits a request through a web form or any other intake channel, an event trigger in TrustWorks starts the DSR workflow automatically, promptly addressing DSRs.

Note: Triggers can only be connected to the start node (see the screenshot above)

Actions

The next step in building your DSR workflow is selecting and configuring manual and automated actions from the list:

📂 Task

Assign manual tasks to the responsible users or teams for completing certain DSR stages, streamlining collaboration and accountability.

Assign manual tasks to the responsible users or teams for completing certain DSR stages, streamlining collaboration and accountability.

📨 Send Email

Set up automated emails to be sent at specific DSR stages, notifying stakeholders of the progress and updates.

✔️ Approve Report

Manually approve the generated DSR report at the designated stage, ensuring its accuracy and compliance.

🔐 Verify Identity

Manually verify the data subject's identity, ensuring the legitimacy of the request.

➡️ Forward DSR

Automatically forward the DSR to designated recipients or systems based on predefined criteria.

📑 Access Data

Configure this action to grant access to the data subject's requested personal information. Select the appropriate DSR execution stage, assign the action to a team or user, and choose the communication channel. Additionally, specify the data repository where the data is stored to facilitate a smooth data access process.

🗑️ Erase Data

Use this action to erase the data subject's personal information upon request. Configure the DSR execution stage, assign the action to a team or user, and select the communication channel. If applicable, specify the data repository to ensure proper erasure from the designated storage locations.

📤 Send Report

This automated action marks the conclusion of the DSR workflow. Once all required DSR stages are completed, TrustWorks automatically generates a report detailing the actions taken. The report is then sent to the data subject, providing them with transparency and ensuring compliance with data privacy regulations.

Flows (Additional Connectors in Workflows)

The Workflow Builder offers additional connectors to create more complex workflows:

  1. ⏩ Parallels: Perform multiple actions in parallel, improving efficiency and reducing processing time.
  2. 🔀 Choice (DSR Filter): Specify DSR types and origin types to filter and route requests accordingly.
  3. 🔗 Merge: Combine multiple workflow branches into a single flow for streamlined processing.

{LINK to a sample workflow - erasure request for example}

Managing Privacy Requests

The Requests module in TrustWorks is designed to facilitate managing and processing Data Subject Requests (DSRs). This module serves as a centralised hub for handling all DSRs received by the organisation. It streamlines the workflows, ensuring efficient collaboration between teams and timely completion of requests, thereby enhancing privacy compliance.

On the Subject Requests page, you can also sort the requests in ascending or descending order based on various parameters, such as External IDs, Subject Identifiers, Subjects, Creation date, Days Left to completion, Type of Request, and Status. This allows you to prioritise and manage requests more effectively.

Subject Request Details

The "Subject Request Details" section in TrustWorks provides a comprehensive overview of a specific Data Subject Request (DSR) received by the organisation. It contains essential information related to the request and allows users to efficiently manage and track the progress of the DSR execution.

Here's what can be found in this section:

  1. Request Information: This includes the unique ID assigned to the DSR, the type of request (e.g., Access, Erasure, Rectification), the applicable data protection regulation (e.g., GDPR), and the category of the data subject (e.g., Customer, Employee).
  2. Intake Channel: Indicates the source through which the DSR was submitted, such as an app, website, or other communication channels.
  3. Workflow: Displays the specific workflow associated with the DSR, defining the automated process for handling the request.
  4. Erasure Type / Subject ID: Provides details about the method of identifying the data subject, such as their email address or a unique identifier.
  5. Additional Information: Any supplementary details provided by the data subject can be found here, which may aid in fulfilling the request.
  6. Days Remaining: Indicates the number of days left for completing the DSR process within the specified regulatory timeframe.
  7. Progress: The execution progress is visualised in stages, outlining where the DSR stands in the overall process:
    • Receive Request: Shows when the request was submitted and received.
    • Verify Identity: Indicates the step of verifying the data subject's identity using provided identifiers.
    • Execute Request: Marks the phase where the request is processed and actions are taken based on the data subject's rights.
    • Approve and Send Report: Confirms the final report's approval and its transmission to the data subject.
    • Completed: Signifies the conclusion of all steps, indicating that the DSR is fulfilled.
  8. Actions: Within the "Subject Request Details" section, users can perform several essential actions related to the DSR:
  • Cancel Request: If necessary, users can cancel the request.
  • Request More Time: Allows users to ask for additional time to fulfil the DSR, if required.

  • Accept/Reject Identity: The organisation can accept or reject the provided identity information for verification.
  • Request More Data: If specific details are missing, users can request additional information from the data subject.
  • Leave Comments: Users can add comments to the DSR for internal notes or communication purposes.
  • Tag Individuals or Teams: Enables the tagging of relevant personnel or teams responsible for resolving the DSR. Note: Use "#" to tag teams and "@" to tag individuals in comments.

Execution Details

In the "Execution Details" we can see an in-depth breakdown of the specific actions associated with the Data Subject Request (DSR) and their current status. Each action corresponds to a particular task or step required to fulfil the DSR.

In the "Flow" tab of the execution details, you can see the visualised workflow for each step of the DSR request. This provides an alternative view of the request's execution and automation process, ensuring transparency and efficient tracking of the DSR's status.


Submitting a Subject Request Manually

Users (please note that this is only available for admins and not for members) can also submit DSRs manually. To do this, they need to navigate to Requests module and click on “+New”.

Next, select the DSR type

Then select the category of individual (subject type), add the subject’s email, attach a file and add additional information if needed and submit your DSR.

If you’re an admin you’ll see your newly created DSR in Requests and in Tasks.

Members will see it in Tasks module and responsible teams/users will be notified that they have received a task via email.

Members will also be able to see the task details, complete and reassign the task.

More on Member’s experience {here}

Processing a DSR

DSRs will show up in both Tasks and Requests modules. To start processing your task, navigate to task’s details.

Task details page provides comprehensive information about each assigned task, including the task description, identifiers (personal data), comments section, assignee information, process description and task completion button. Reviewing task details is essential for understanding the scope and requirements of each task.

Conclusion

Our comprehensive Data Subject Requests (DSRs) management features provide organisations with a robust platform to handle data privacy requests efficiently and ensure compliance with data protection regulations. By configuring DSR settings, including request types and categories of individuals, organisations can tailor their workflows to meet specific needs and obligations.

With the Workflow Builder, organisations can automate the DSR execution process, assign tasks, verify identities, and approve reports seamlessly. The automation capabilities reduce manual overhead, facilitating quick and accurate responses to data subject requests.

By leveraging our collaborative platform, organisations can maintain transparent communication channels, facilitate efficient data sharing, and demonstrate a strong commitment to data privacy. TrustWorks' capabilities enable organisations to prioritise privacy, build trust with data subjects, and demonstrate compliance in today's privacy-focused landscape.

Through TrustWorks' powerful features, organisations can efficiently handle data subject requests, demonstrate their commitment to data privacy, and achieve a streamlined and compliant data privacy management process.

Still need help? Contact Us Contact Us