CENTRL's Individual Rights Request module makes it easy to carry out requests in compliance with GDPR and CCPA regulations. This article will help you understand the basics of a rights request including your legal obligations.
This article covers the following:
- Navigating to your Request
- Editing a Request
- Verifying the Data Subject
- Communication and Collaboration
- Assigning a Request
- Extending the Due Date
- Resolving a Request
- Viewing your Request History
Navigating to your Request
1. Navigate to Data Subject Requests from the DSAR module as shown above.
2. Click on your Active Request as shown above.
Editing a Request
1. Click on your Active Request as shown above.
2. Within the Detail view, click on the Three dots and select Edit Request.
3. You can edit the Request Details as required. Once done, click on the Save Changes button.
Note: The changes will appear in the Detailed view of the Request.
Verifying the Data Subject
When a Request is received, it will be in the ID Verification stage. The organization must verify the Data Subject's identity before executing the request. CENTRL requires a comment confirming that the verification has taken place.
To protect personal information, GDPR and CCPA require the controller to take reasonable steps to verify the subject's identity.
While verifying a subject's identity, you should avoid asking the subject for additional personal information like a government-issued identification number or card. Asking for more detailed personal information exposes the controller to other risks of data breaches and can be construed as excessive. Best practices include asking the user questions about their account activity or preferences. For more sensitive records (bank records or purchase history), verification should be more robust (phone call to establish ownership of the account).
Controllers should only deny requests after exhausting all reasonable attempts to verify the user.
Communication and Collaboration
The DSAR module lets users communicate with the data subject and invite and work with internal collaborators. To learn more about internal collaboration for a rights request, click here.To learn more about internal and external communication for a rights request, click here
Assigning a Request
You can assign a request to either yourself or to another user within your organization. You can do this by clicking on the assignment icon and first un-assigning the current user and then adding a new user. To read more about this, click here.
Extending the Due Date
When dealing with a complicated request, you may extend the 30-day deadline by two months. Users must provide a rationale and notification to the data subject. You can manage extensions through the request options. To read more about this, click here.
Resolving a Request
Users can either fulfill or deny a request. A denial must include both instructions on how to petition a Data Authority and the right to seek a judicial remedy. To read more about the requirements to fulfill and deny the request as well as read about our standard denial templates, click here.
Viewing your Request History
The Request History allows data controllers to view all the activity regarding the selected Request. To learn more about this feature, click here.