Direct Contact integrations are an integrated workflow that includes internal or external parties to help process requests. Within the workflow, data will actioned based on the request type and this article walks through what that data looks like and how it's managed.
During the privacy request lifecycle, processors for connected direct contact integrations will receive an email with a link requesting them to take action on the data subject’s privacy request. After clicking the link they are redirected to a form that provides the data subject’s email address and other relevant information to use when searching their system.
Depending on how the privacy request was submitted to the DataGrail platform (online form, email forwarding, etc.), the information included on the direct contact form will differ. The example below is the information included for a request that was submitted via the privacy request intake form.
Sharing a small amount of the data subject’s personally identifiable information (PII) is necessary on the form so the processor can locate and take action on the data subject’s records if they are present in their system. This type of data sharing can be covered by a Data Processing Agreement (DPA). Consult with your legal team to see if you have a DPA in place with your service providers.
DataGrail does not store any PD, PI, or PII from integrations and instead sends it directly to the customer's cloud storage bucket so the customer can determine their required retention/purging timeline.
As an added effort to minimize the sharing of PII through the direct contact integration process, direct contact form links auto-expire once the form has been submitted or after 14 days if the Skip and Process option is selected. This ensures access to the form is limited to active requests.
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.