Processing data subject access requests (DSARs) is a core part of every privacy program. From GDPR in Europe to the slew of new laws passed in the US and around the world, almost every privacy regulation includes provisions for the rights of the data subject (the person whose data is being collected and processed).
And yet, most businesses are still processing DSARs manually using email and spreadsheets. According to Gartner, manually processing a subject rights request costs an average of $1400 USD. Today, we’re pleased to announce Osano’s new automated DSAR summaries and deletion so you can process DSARs in less time with more confidence.
Osano subject rights demo
This demo video shows an end-to-end flow of Osano’s subject rights management solution including Osano’s new capabilities to automate data summaries and data deletion.
How does Osano’s automated subject rights feature work?
When a data subject makes a DSAR to an Osano customer, there are several points of automation that would otherwise be a manual process without Osano:
- Automated email intake
- Automated email verification
- Automated task assignment
- Automated data store owner notification
- Automated data summary (NEW!)
- Automated data deletion (NEW!)
- Automated data packaging (NEW!)
Read on to learn more about how Osano automates these processes for you.
Automated email intake
Osano provides DSAR forms out-of-box that are simple to add to your website with one line of code. Forms are the best way to capture subject rights requests as they ensure you have all the key information you need such as the requestor name, location (so you know which laws apply), and the type of request (summary of data, delete data, correction, etc.).
But what about requests made to your email address that isn’t processed through your form?
These emails can be time-consuming to process and often require multiple back-and-forth emails to obtain all the necessary info. Often, a group inbox needs to be set up and coordinating between internal stakeholders on who will answer which email is difficult.
With Osano's automated intake, you get a forwarding address with each DSAR form you create. Osano will then process any emails sent to your address by replying with a link to fill out the correct information in the DSAR form. This ensures every request is complete and you don’t waste time processing requests that don’t have the necessary info.
Automated email verification
Once Osano receives a request, the first thing it does is send an email verification. This helps in 3 ways:
- Reduces or eliminates spam from automated bots that aren’t real people. Bots don’t have rights—but people do. Osano makes sure you can do the right by respecting people’s right to privacy without getting bogged down by robot spam.
- Reduces or eliminates fraud from nefarious actors. These days, it’s very easy to spoof an email and pretend to be someone you’re not. These bad actors might want access to someone’s info they shouldn’t have, or they may be attempting to attack someone by trying to get their data deleted. Osano email verification makes sure you know the email address listed was verified by the owner of the account.
- Verifies identity (in many cases). For many organizations, email address is the unique identifier used in their system to represent a user. If you have a verified email, this is often enough to verify a user’s idenity and process their request. Osano does enable you to capture additional files and infomation in case you need more info to verify a user’s identity depending on the local laws and your internal policies.
Automated task assignment
The next step in processing a DSAR is to gather a list of all of the data stores that could be holding personal information (PI) and all of the data store owners. These data store owners are the administrators who are able to search that data store and fulfill a subject right request.
With Osano, you only have to set up this information once, and then every DSAR that comes in gets processed according to the rules you pre-set. You can designate how each field in a data store should be processed when a DSAR comes in. For example, when a deletion request comes in, you may want to delete a user’s data from a CRM system, but you may want to only redact information in your financial system if local laws require you to keep the record for a period of time.
When each DSAR comes in, Osano automatically identifies all the data stores that apply to that request type, and for manual data stores, automatically assigns the data store owner a task to process the DSAR. (For automated data stores, Osano processes the request for you!)
Automated data store owner notification
Once you’ve identified which data stores and which data store owners need to be part of a DSAR, you need to communicate with all of them. In a manual system, this can lead to a tedious chain of emails.
With Osano, each data store owner is automatically notified via email that they have a DSAR to process. They can log into Osano to see all of the relevant information, such as the data subject’s details along with any notes about the data store fields.
Then, data store owners can even upload files that can be automatically packaged up when all the processing is complete.
Automated data summary (NEW!)
Osano has a large and growing list of SaaS integrations that can perform automated summaries. In this case, when a data subject requests a summary of their data, Osano will automatically search the SaaS app for the user’s PI and output a CSV file with the summarized information.
Using automated data stores, processing DSARs goes from being a complex, multiple-step task to being as simple as clicking a button. With one click, the data requests manager can mark an identity verified, and with one click, they can package and send all files to the data subject using Osano’s secure messaging portal.
Automated data deletion (NEW!)
Automated deletion works the same way as Osano’s automated summaries. As long as the SaaS app supports deleting data via its API, then Osano will automatically delete the PI and provide a CSV file summarizing all the data that was deleted to send to the requester.
If you’d like, you can test an integration first by enabling automated summaries to see what info would be deleted. Then, when you feel comfortable doing so, you can enable automated deletion so your data store owners no longer need to manually delete the data. Instead, you can let Osano automate the process.
Automated data packaging (NEW!)
The final step in processing a subject rights request is to send the data to the user and inform them the request has been completed. In the case of a summary or deletion request, this includes packaging up all of the CSV files from associated data stores into a single zip file and sending it to the user. Osano automatically gathers all files that are either auto-generated by the platform or uploaded by data store owners and lists them together for the data request manager to review. There’s also an option to upload additional files if the manager wishes to do so. Then, with the click of a button, all of the files are packaged together into one zip file and sent to the original requestor via Osano’s secure messaging portal.
How to get started with Osano DSAR automation
Osano subject rights management is included in Osano’s Enterprise pricing plan. If you are an Enterprise plan customer today, you already have access to subject rights management. Visit the geting started guide along with the automation docs to learn how to set up DSAR automation for your organization.
If you are not yet an Osano Enterprise plan customer, reach out to our sales team to start a conversation about how Osano can save you time while allowing you to comply with privacy laws in 50+ countries around the world.