Product Updates

Introducing Osano automated DSAR summaries and deletion

posted on March 1, 2023

Processing data subject access requests (DSARs) is a core part of every privacy program. From GDPR in Europe to the slew of new laws passed in the US and around the world, almost every privacy regulation includes provisions for the rights of the data subject (the person whose data is being collected and processed).

And yet, most businesses are still processing DSARs manually using email and spreadsheets. According to Gartner, manually processing a subject rights request costs an average of $1400 USD[1]. Today, we’re pleased to announce Osano’s new automated DSAR summaries and deletion so you can process DSARs in less time with more confidence. 

Osano subject rights demo 

This demo video shows an end-to-end flow of Osano’s subject rights management solution including Osano’s new capabilities to automate data summaries and data deletion.

How does Osano’s automated subject rights feature work?

When a data subject makes a DSAR to an Osano customer, there are several points of automation that would otherwise be a manual process without Osano: 

1. Automated email intake
2. Automated email verification
3. Automated task assignment
4. Automated data store owner notification
5. Automated data summary (NEW!)
6. Automated data deletion (NEW!)
7. Automated data packaging (NEW!)

Read on to learn more about how Osano automates these processes for you.

Automated email intake

Osano provides DSAR forms out-of-box that are simple to add to your website with one line of code. Forms are the best way to capture subject rights requests as they ensure you have all the key information you need such as the requestor name, location (so you know which laws apply), and the type of request (summary of data, delete data, correction, etc.). 

But what about requests made to your email address that isn’t processed through your form?

These emails can be time-consuming to process and often require multiple back-and-forth emails to obtain all the necessary info. Often, a group inbox needs to be set up and coordinating between internal stakeholders on who will answer which email is difficult.

With Osano's automated intake, you get a forwarding address with each DSAR form you create. Osano will then process any emails sent to your address by replying with a link to fill out the correct information in the DSAR form. This ensures every request is complete and you don’t waste time processing requests that don’t have the necessary info.

Automated email verification 

Once Osano receives a request, the first thing it does is send an email verification. This helps in 3 ways:  

1. Reduces or eliminates spam from automated bots that aren’t real people. Bots don’t have rights—but people do. Osano makes sure you can do the right by respecting people’s right to privacy without getting bogged down by robot spam.  
2. Reduces or eliminates fraud from nefarious actors. These days, it’s very easy to spoof an email and pretend to be someone you’re not. These bad actors might want access to someone’s info they shouldn’t have, or they may be attempting to attack someone by trying to get their data deleted. Osano email verification makes sure you know the email address listed was verified by the owner of the account.  
3. Verifies identity (in many cases). For many organizations, email address is the unique identifier used in their system to represent a user. If you have a verified email, this is often enough to verify a user’s idenity and process their request. Osano does enable you to capture additional files and infomation in case you need more info to verify a user’s identity depending on the local laws and your internal policies.  

Automated task assignment

The next step in processing a DSAR is to gather a list of all of the data stores that could be holding personal information (PI) and all of the data store owners. These data store owners are the administrators who are able to search that data store and fulfill a subject right request.

With Osano, you only have to set up this information once, and then every DSAR that comes in gets processed according to the rules you pre-set. You can designate how each field in a data store should be processed when a DSAR comes in. For example, when a deletion request comes in, you may want to delete a user’s data from a CRM system, but you may want to only redact information in your financial system if local laws require you to keep the record for a period of time.

When each DSAR comes in, Osano automatically identifies all the data stores that apply to that request type, and for manual data stores, automatically assigns the data store owner a task to process the DSAR. (For automated data stores, Osano processes the request for you!)

Automated data store owner notification 

Once you’ve identified which data stores and which data store owners need to be part of a DSAR, you need to communicate with all of them. In a manual system, this can lead to a tedious chain of emails.

With Osano, each data store owner is automatically notified via email that they have a DSAR to process. They can log into Osano to see all of the relevant information, such as the data subject’s details along with any notes about the data store fields.

Then, data store owners can even upload files that can be automatically packaged up when all the processing is complete.

Automated data summary (NEW!)  

Osano has a large and growing list of SaaS integrations that can perform automated summaries. In this case, when a data subject requests a summary of their data, Osano will automatically search the SaaS app for the user’s PI and output a CSV file with the summarized information.

Using automated data stores, processing DSARs goes from being a complex, multiple-step task to being as simple as clicking a button. With one click, the data requests manager can mark an identity verified, and with one click, they can package and send all files to the data subject using Osano’s secure messaging portal.

Automated data deletion (NEW!)

Automated deletion works the same way as Osano’s automated summaries. As long as the SaaS app supports deleting data via its API, then Osano will automatically delete the PI and provide a CSV file summarizing all the data that was deleted to send to the requester.

If you’d like, you can test an integration first by enabling automated summaries to see what info would be deleted. Then, when you feel comfortable doing so, you can enable automated deletion so your data store owners no longer need to manually delete the data. Instead, you can let Osano automate the process.

Automated data packaging (NEW!)

The final step in processing a subject rights request is to send the data to the user and inform them the request has been completed. In the case of a summary or deletion request, this includes packaging up all of the CSV files from associated data stores into a single zip file and sending it to the user. Osano automatically gathers all files that are either auto-generated by the platform or uploaded by data store owners and lists them together for the data request manager to review. There’s also an option to upload additional files if the manager wishes to do so. Then, with the click of a button, all of the files are packaged together into one zip file and sent to the original requestor via Osano’s secure messaging portal.

How to get started with Osano DSAR automation 

Osano subject rights management is included in Osano’s Enterprise pricing plan. If you are an Enterprise plan customer today, you already have access to subject rights management. Visit the geting started guide along with the automation docs to learn how to set up DSAR automation for your organization.

If you are not yet an Osano Enterprise plan customer, reach out to our sales team to start a conversation about how Osano can save you time while allowing you to comply with privacy laws in 50+ countries around the world. 

[1] https://www.gartner.com/en/newsroom/press-releases/2020-02-25-gartner-says-over-40-percent-of-privacy-compliance-technology-will-rely-on-artificial-intelligence-in-the-next-three-years

Availability

Enterprise

External vendor assessments now available

posted on February 1, 2023

Ever try hammering in a nail with a screwdriver? It’s possible to do in a pinch, but you wouldn't build a house in this way; you'd only cause damage and slow yourself down. Having the right tool for the job makes all the difference. Just like getting your team the software tools they need can be the difference between exceeding your quarterly goals or planning for another round of layoffs.

Privacy plays a critical role in software procurement. Without proper privacy reviews, new tools that put your users’ and employees’ data at risk may be unknowingly purchased and onboarded. This can lead to steep consequences, including regulatory fines and negative headlines. However, privacy reviews that take too long slow down the procurement cycle and can keep critical capabilities out of the hands of the people who need them.

It’s a delicate balancing act to protect your organization while also empowering teams to move fast. This is why Osano is introducing external vendor assessments. Now, the same privacy management platform you rely on for world-class consent management, subject rights management, and vendor monitoring also sets you up for success when you need to evaluate the privacy impact of new vendors.

Vendor assessments with Osano

In addition to the existing DPIA and RoPA templates, Osano now includes templates for vendor privacy and vendor security. Built by Osano’s privacy experts, these new templates are based on the NIST privacy and security frameworks. These new templates are designed for your external vendors to fill out during your procurement process. As such, Osano now includes the ability to assign any template to an external user by inputting their email address. Users receive an email notification that they have a new assessment to fill out and a link to the new Osano Assessments portal.

To see Osano’s new assessment in action, check out this demo:

Getting started with Osano Assessments is easy. Log in to your Osano account and navigate to the assessments section of the app. Then, simply create a new assessment, choose a template, and assign users to complete the assessment. 

Availability

Enterprise

Osano CMP support for 2023 US privacy laws

posted on December 15, 2022

There’s a lot of action in the world of privacy with 5 new privacy laws going into effect in the US next year. California, Colorado, Connecticut, Virginia, and Utah all have new legislation set to go live. In particular, California’s CPRA and Virginia’s VCDPA become active on January 1. With all of these changes, many of the folks we’ve been talking to have shared their struggle to keep up with the legislation and what it means for their business. Osano is here to help! 

The new features in the Osano Consent Management Platform (CMP) give you a simple way to comply with even the nuanced and complex parts of the US laws. In this post, we’ll outline some of the changes the new regulations are asking businesses to comply with. We’ll also show which Osano CMP features you can use to stay compliant and do the right thing by respecting your users’ privacy. 

In this post

• Which US laws are going into effect in 2023? 
• What are the new CMP requirements in CPRA and VCDPA?
  • Global Privacy Control (GPC)
  • Do not sell or share
  • Single, clear setting
  • State-level targeting — new banner defaults
  • State-level targeting — new API 
• Summary

Which US laws are going into effect in 2023? 

Five new laws are going into effect, each with slightly different variations in their requirements. We’ve previously written some articles that go into depth on what each law requires (so far) linked in the following  table. These US state law articles cover each of the laws broadly and generally. 

Law	Full name	Effective Date
CPRA	California Privacy Rights Act (Replacing CCPA)	Jan 1, 2023
VCDPA	Virginia Consumer Data Protection Act	Jan 1, 2023
CTDPA	Connecticut Data Privacy Act	Jul 1, 2023
CPA	Colorado Privacy Act	Jul 1, 2023
UCPA	Utah Consumer Privacy Act	Dec 31, 2023

You can also check out our six-month, three-month, and one-month countdown articles, which summarize some actions steps you can take to prepare for compliance. 

In this blog, we’ll dig specifically into the CPRA’s and VCDPA’s requirements for consent management that go live on January 1, along with the new and existing Osano CMP features you can use to comply. We’ll also provide the specific “customer actions” you can take to start using these new Osano features. 

What are the new CMP requirements in CPRA and VCDPA? 

In addition to previous requirements (such as notifying users of cookie use and asking for their consent), there are 4 new CMP requirements starting January 1. This table shows a summary of the requirements as well as which Osano CMP features help you comply with them. Read on for the details of each requirement as well as the corresponding Osano CMP features. 

Requirement	What does it mean?	California (CPRA)	Virginia (VCDPA)	Osano Feature
Global Privacy Signal (GPC)	Capture an opt-out signal from the user’s browser for this session.	Opt-out preference signal	n/a	Global Privacy Control (Available today) - Docs
Do not sell or share	Don't sell my personal information (PI) for monetary gain.  Don't share or process PI for advertising purposes.	Do not sell or share my PI   "Share" = Opt out of cross-contextual behavioral advertising	Do not sell my PI Opt out of targeted advertising	Updated drawer text  (Available today) - Docs
Single, clear setting	One place to set “do not sell” and “do not share” preferences.	One option to satisfy both requirements.	n/a	Do Not Sell Modal  (Available today) - Docs
State-level targeting	Show different content for different states.	CA laws vs US	VA laws vs US	State-level targeting API  (Available today) - Docs Updated banner defaults  (Planned for Dec 30) - Docs

Global Privacy Control (GPC)

CPRA is now requiring the ability for users to opt out via a preference signal. While the language is a bit vague, one concrete way to meet this requirement is to capture and process GPC. The GPC setting can be enabled in a user’s browser. Once turned on, it sends a privacy signal to all of the websites visited in that browser asking them not to sell or share the user’s personal information and to opt them out of marketing/advertising cookies.

The good news is that Osano has had support for GPC for a while now. You can enable GPC in your CMP configuration settings. Once enabled, Osano will process the signal based on the user’s location. You can find full details in the Osano Global Privacy Control (GPC) documentation. 

Customer Action: Enable Osano CMP’s GPC functionality if you aren’t already using it. 

Do not sell or share

One of the CPRA’s biggest updates to California’s previous law (the CCPA) is the shift from “do not sell” to “do not sell or share.” This adds the right for users to not only request their personal information (PI) not be sold for monetary gain, but also for users to opt out of having businesses share or process PI for advertising purposes. Virginia’s law also requires businesses to enable users to opt out of both the sale of their PI and targeted advertising. 

Osano CMP previously supported the ability for an end-user to configure their consent preferences for both “do not sell” as well as the ability to opt out of marketing/advertising cookies via a separate setting in the preference drawer. Now, in order to more closely comply with CPRA’s language, we’ve updated the text and behavior of the CMP preference drawer. Now, selecting the “do not sell or share” toggle will also disable marketing categorized cookies as well. 

Previous preference setting	New preference setting

Customer Action: You must republish your CMP configuration in order to get the new language. Enterprise customers can also customize the verbiage as needed.

Single, clear setting

In addition to allowing users to opt out of both selling and sharing of PI, CPRA also states that businesses must “provide a clear and conspicuous link” to enact this right. Although the Osano CMP preference drawer allows users to set this preference, it also contains additional preferences. In some cases, users may need to scroll to get to the “Do not sell or share” setting. In order to satisfy this requirement for a single link, we’ve released a new “do not sell” modal.

The new modal can be activated using the Osano JavaScript API. You can now add a “Do not sell or share my personal information” link to the footer of your website that causes the modal to appear when clicked by making a call to the showDoNotSell() method.

The new modal has a single setting. Enabling the toggle has the same effect as enabling the “do not sell or share” setting in the preference drawer.

Customer Action: Add a “Do not sell or share” link to your website’s footer that shows the “do not sell” modal. 

State-level targeting — new banner defaults

One of the most powerful features of Osano CMP is that it automatically shows the correct banner to the visitor based on their location. Starting December 30, Osano will change what banners are shown as the default banner for California, Virginia, and the rest of the United States. 

You can see a full list of banner formats and the current locations in which they are served in the documentation. 

Location	Current default (CCPA opt-out disabled)	Current default   (CCPA opt-out enabled)	New default on Jan 1 (CCPA/CPRA opt-out disabled)	New default on Jan 1 (CCPA/CPRA opt-out enabled)
California	Banner 3	Banner 1	Banner 3	Banner 1
Virginia	Banner 3	Banner 1	Banner 3	Banner 3
Rest of US	Banner 3	Banner 1	Banner 1	Banner 1

Customer action: If you currently override any banner defaults, you will want to review your overrides before January 1 to ensure you are still compliant when the new laws take effect. If you don’t perform any overrides, then no action is needed on your part. These new banner defaults will automatically go into effect on your site starting January 1. 

State-level targeting — new API 

The Osano JavaScript API has been updated to support state-level targeting. The countryCode property has been deprecated and superseded by the jurisdiction property. The jurisdiction property returns the lowercase country and subdivision codes according to ISO 3166-1 and 3166-2 where Osano CMP geolocates a user based upon their IP address. 

countryCode — For example, returns “us” 

jurisdiction — For example, returns “us-tx”

Customer Action: If you are using the JavaScript API, you should update your code to use jurisdiction instead of countryCode.

Summary

The privacy landscape is complex and continues to evolve. Osano will keep track of it for you. With these new and existing features, you can be confident you’ll be ready for CPRA and VCPDA on January 1.

Availability

Business,  Business+,  Developer,  Enterprise