Skip to content
User Guides
Privacy Requests
Processing requests

Processing privacy requests

Privacy request processing is the process by which approved privacy requests are submitted to internal database or third party SaaS applications to be fulfilled. Said differently, processing is the execution of the privacy request that ensures that the legal obligation has been fulfilled.

  • For Access or Portability requests, Fides will send a request to the data store to return a machine-readable package containing all personal data that is found about the data subject.
  • For Erasure or Rectification requests, Fides will send a request to the data store to erase, mask, or update all applicable personal data that is found about the data subject.

Methods for sending requests

There are multiple methods available for sending privacy requests to database or third party SaaS vendors:

  • API requests: This is the preferred way to process privacy requests and uses an interface provided by the database or third party SaaS vendor.
  • Email requests: Email requests use a pre-configured email template to submit privacy requests the vendor using an email provided in their privacy policy.
  • Manual requests: Fides can be configured to use a webhook to connect to an application and execute requests.
Some methods have limitations on the types of privacy requests that can be supported. For example, we cannot currently support access requests over email because we can't enforce that the package returned is well-formatted or machine-readable.

See the relevant sections below to learn more about each approach:

API requests

This is the preferred way to process privacy requests and uses an interface provided by the database or third party SaaS vendor.

In order to configure privacy requests using an API, you will need to:

  1. Gather credentials with the appropriate permissions.
  2. Generate & annotate a dataset to describe the data store (if the application is a database).
  3. Configure an integration to the application or database.
  4. Review and update the privacy request execution policy (if desired).

Gathering credentials

Fides uses Integrations to submit privacy requests to databases and third party SaaS applications. In order to execute the appropriate queries to satisfy privacy requests against a data store, Fides will need credentials for an account with permission to perform these operations.

When you have gathered these credentials, you can proceed to generate your dataset if you're using a database, or skip ahead to configure an integration, for SaaS connections.

Generating datasets

A dataset is a configuration file that describes, to Fides, how to interact with your databases for the purpose of processing privacy requests. A dataset describes where categories of personal data (e.g. user contact info) can be found and how fields in tables or collections are related so that Fides can traverse the data to fulfill privacy requests.

Datasets also are required to integrate with SaaS applications. However, Fides pre-configures these datasets and they typically work out-of-the-box.

In order to generate an actionable dataset, you will need to:

  1. Generate a dataset
  2. Annotate the dataset with data categories
  3. Establish which fields contain identities

Once the dataset configuration complete, you can move to the next step and link the dataset to an Integration.

Configuring integrations

An Integration connects Fides to your databases and third-party SaaS applications, allowing Fides to execute privacy requests against all data in your organization. To learn how to configure integrations in Fides, please see our guide for Integrating systems.

Managing policies

A privacy request policy is a set of rules that are executed when a data subject submits a privacy request. The policy describes how Fides should return or erase data to satisfy the privacy request.

A privacy request policy consists of:

  • Rules: these define which actions to take when a privacy request with the corresponding action_type is submitted
  • Rule targets: these are the data categories to which the rule applies, as annotated in the previous step.

Fides ships with two default privacy request policies: download (for access requests) and delete (for erasure requests).

  • The download policy is configured to retrieve user data and upload this data to a local storage location.
  • The delete policy is configured to mask user data with the string "MASKED".

To learn how to configure custom policies, please see our guide for Configuring privacy request policies.

Configuring storage

Access requests produce a package of personal data upon completion, if data is found. This data will need to be uploaded to a storage destination (e.g. an S3 bucket) in order to be returned to the user.

To learn how to configure a storage destination, please see our guide for Creating a storage destination.

Troubleshooting

To learn how to debug common issues with API-based privacy requests, please see our guide for Identifying & debugging issues

Email requests

To configure Fides to send erasure requests via email, follow these steps:

  1. Navigate to the system: Data mapView Systems and choose the system that you want to integrate with.
  2. Click on the Integrations tab.
  3. Select Generic Erasure Email from the drop-down menu.
  4. Enter the SaaS application name
  5. Enter the Recipient email address (typically privacy@[company].com).
  6. Enter a Test email address, if desired. This will send a copy of the email request to the specified address.
  7. Click Save.
Configure an email connector
We cannot currently support access requests over email because we can't enforce that the package returned is well-formatted or machine-readable.

Manual requests

Manual privacy requests allow vendors to upload personal data using an API to satisfy Access requests. To enable these requests, a manual process integration must be configured.

To configure the manual process integration:

  1. Navigate to the system: Data mapView Systems and choose the system that you want to integrate with.
  2. Click on the Integrations tab.
  3. Select Manual process from the drop-down menu.
  4. Enter a name for the integration.
  5. Click Customize DSR.
Configure a manual connector

When an access request is placed, a package containing the found personal data is returned. In order to properly format this package, you'll need to tell Fides how to label the fields of personal data in it.

Thus, in the resulting modal, you'll need to fill in the following fields:

  • PII Field: the label Fides will display when it solicits manual input for this field.
  • DSR Package Label: the label Fides will use for this field in the access package that is returned to the data subject.
  • Data Categories: the category of personal data that is returned.

Managing policies

A privacy request policy is a set of rules that are executed when a data subject submits a privacy request. The policy describes how Fides should return or erase data to satisfy the privacy request.

A privacy request policy consists of:

  • Rules which define which actions to take when a privacy request with the corresponding action_type is submitted
  • Rule targets which are the data categories to which the rule applies.

Fides ships with two default privacy request policies: download (for access requests) and delete (for erasure requests).

  • The download policy is configured to retrieve user data and upload this data to a local storage location.
  • The delete policy is configured to mask user data with the string "MASKED".

To learn how to configure custom policies, please see our guide for Configuring privacy request policies.

Troubleshooting

To learn how to debug common issues with API-based privacy requests, please see our guide for Identifying & debugging issues

Email requests

To configure Fides to send erasure requests via email, follow these steps:

  1. Navigate to the system: Data mapView Systems and choose the system that you want to integrate with.
  2. Click on the Integrations tab.
  3. Select Generic Erasure Email from the drop-down menu.
  4. Enter the SaaS application name
  5. Enter the Recipient email address (typically privacy@[company].com).
  6. Enter a Test email address, if desired. This will send a copy of the email request to the specified address.
  7. Click Save.
Configure an email connector
We cannot currently support access requests over email because we can't enforce that the package returned is well-formatted or machine-readable.

Manual requests

Manual privacy requests allow vendors to upload personal data using the API to satisfy an Access request. To enable these requests,manual process connection must be created.

To configure the manual process integration:

  1. Navigate to the system: Data mapView Systems and choose the system that you want to integrate with.
  2. Click on the Integrations tab.
  3. Select Manual process from the drop-down menu.
  4. Enter a name for the integration.
  5. Click Customize DSR.
Configure a manual connector

Now you have to define the fields:

Configure a manual connector

To learn more about this feature, please see our Developer guide for Manual privacy requests.

Reviewing requestsOverview