Processing Data Subject Requests In Ethyca

How Ethyca Streamlines Data Subject Requests

Ethyca provides companies with a user-facing Privacy Center that simplifies a business’s privacy management processes. In the Privacy Center, your users can submit data access requests, manage their consent preferences from a single location, and file “do not sell” or erasure requests. From here, they can also view your company’s privacy policy. This custom-branded web page serves as a portal for your users to manage their privacy in a streamlined fashion.

On the backend of this Privacy Center, the Ethyca Control Panel empowers your business to manage data privacy effectively and automatically. From the Subject Request section of the Ethyca Control Panel, your team can efficiently organize, process, and respond to the data subject requests that your company receives. We’ll now take a look at what a typical data subject request flow looks like using Ethyca.

 

What a Typical Data Subject Request Process Looks Like Using Ethyca

  1. The process begins when a user submits a data subject request via the custom-branded Ethyca-powered Privacy Center on your company’s website. In this case, they’re making a data subject access request by clicking “DOWNLOAD MY DATA.”

  1. The user is directed to a new page and prompted to provide details about their identity and the request that they are making. It’s necessary to verify user identity for data subject requests to make sure you’re sharing information with the correct individual. You can learn more about the methods for doing so here, but if you’re using Ethyca, it’s taken care of automatically.  

      • Once the user’s identity has been verified, the details of their data subject request are sent to your Ethyca Control Panel on the backend. The user will automatically receive an email confirming that your company has received their request, that your team is processing it, and that the user will be updated with a follow up email as soon as the processing of their request is completed.

The expectation here, on the user’s side, is that they will be provided with all of the personal data that your company is currently processing about them. The obligation is that your company will provide this within a reasonable timeframe according to the specific data privacy law that applies in the user’s jurisdiction.

3. As soon as the user submits the details of their access request and verifies their identity through your Privacy Center, your team will receive the request in their Ethyca-powered Control Panel on the backend.
You can review all requests and their statuses in the “Subject Request” section of the Control Panel. 

      • In the “For Review” tab, you can view all data subject requests that have not yet been reviewed by a team member. From here you can see the type of data subject request as well as the time frame by which it should be processed in order to remain compliant. You can also see the number of records of personal data that your company processes about an individual user. Your team can decide whether the request needs to be processed or not by selecting the appropriate approval status. 
      • Data subject requests that require action from your team will be sorted into the “For Review” tab. For the user example above, they are requesting a copy of all of the personal data that is being processed about them. Their request will be moved to the “Processing” tab after your team has approved this user to access their data. “Processing” means that Ethyca’s automated data subject request engine is working on fulfilling the request and generating a response. Once that process is complete, the user will be sent a copy of this data via email and the request will be moved to the “Complete” tab. 
    • User requests for their data may also be put into the “Processing” tab automatically, depending on your organization’s settings (you can turn off the need for manual approval). Have an administrator of your organization confirm your settings in Admin Settings >> Organization >> Subject Requests

      • In the “Complete” tab, you can view all requests that have been successfully processed, when they were processed, and which individual member of your team processed them. 
      • In the “Rejected” tab, you can view all requests that failed to be carried out. This is typically due to the user’s details not being found in your company’s databases or if a request is deemed to be beyond the scope of what is required to satisfy data privacy law compliance.

4. Once Ethyca has processed the user’s request, they will automatically receive an email confirming that it has been processed and providing them with a link to view and download all of the personal data that your company is currently processing. If no records of the user can be found in your databases, then the user will receive an automated email informing them that there is no data associated with the details that they have provided. They’ll also be prompted to provide alternative details if they still believe that their data is being processed by your company (for example, they may choose to enter a different email address when submitting the request).

5. After the user clicks on the download option in the email, they will be redirected to your company’s privacy centre. From here they will have access to view and download a copy of each category of personally identifiable information that your organization is processing about them. 

If you have any questions about processing data subject requests or about using Ethyca’s data privacy platform, please feel free to reach out and we’d be happy to help!

 

Quick Reminder: What Is a Data Subject Request?

A ‘data subject request’ is a request that a user can make in relation to the personal data which are being ‘processed’ about them by an organization. These requests are a fundamental part of a data subject’s rights and they are enforced by prominent data privacy law all over the world, such as General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Brazil’s Lei Geral de Proteção de Dados (LGPD). Failure to address data subject requests can result in serious fines and severely damage your company’s reputation. For these reasons, it’s crucial that every organization that processes personal data has an efficient system in place to manage them effectively.

Below is a list of the data subject rights imposed by GDPR, CCPA, and LGPD which afford the user certain entitlements that they can exercise by making a data subject request.

GDPR CCPA LGPD
• The right to be informed

• The right of access

• The right to rectification

• The right to erasure

• The right to restrict processing

• The right to data portability

• The right to object to processing

• The rights in relation to automated decision making and profiling

• The right to notice

• The right to know

• The right to delete

• The right to data portability

• The right to opt-out

• The right to opt in (for minors)

• The right not to be subject to discrimination for the exercise of rights

• The right to confirmation of the existence of the processing

• The right to access the data

• The right to correct incomplete, inaccurate or out-of-date data

• The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD

• The right to the portability of data to another service or product provider, by means of an express request

• The right to delete personal data processed with the consent of the data subject

• The right to information about public and private entities with which the controller has shared data

• The right to information about the possibility of denying consent and the consequences of such denial

• The right to revoke consent

Before considering how your company can address a user’s data subject requests, you should make sure that you have a clear understanding of your organization’s existing data infrastructure. You can find out more about mapping the state and flow of this data in our guide to building a company data map.