Product Updates

Role-Based Access Control

posted on May 10, 2021

Role-Based Access Control allows Osano administrators to restrict application access based on a person's role within the organization. 

It's essential to keep your systems tight. Deciding what happens with a user's data is an important decision that should be based on training on laws and regulations, as well as the promises a company has made to customers within the privacy policy. Role-Based Access Control (RBAC) allows Osano administrators to decide who has access to which data within an organization. User access takes into consideration a multitude of factors, including authority, responsibility and job function. You can also limit access to specific product features and control the user's ability to view, create or modify those features. The aim is to keep data secure and allow users to focus on relevant tasks while restricting access to functions outside their access level.

An example might be: A company has many people all in charge of specific features within it. There's a customer support team that deals specifically with data subject access requests. But you don't want that group to have access to changing aspects of your website's consent manager, vendor litigation or product analysis. Role-Based Access Control allows you to assign roles to individual users that limit that access.

Why does this matter?

Role-based access control gives customers the ability to manage which areas of a particular system their users can access at a granular level to maintain compliance with various security standards. The solution is in line with the security principle "Give the fewest amount of people the least amount of access possible to do their jobs." 

The National Institute for Standards and Technology proposed RBAC in 1992. Since then, it's become the standard for many large organizations, as well as government organizations. While the EU General Data Protection Regulation doesn't specifically mandate RBAC, it does call for organizations to "implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk."

Implementing RBAC should include a data inventory, defining roles (who should have access to what), an information-campaign for employees on the policy and regular audits to ensure it's working.

Product(s) Affected

Core Platform



Data Subject Access Request Voice Forms

posted on May 10, 2021

DSAR Voice Forms allow end-users to dial a phone number to submit data subject access requests rather than filling out the web form itself.

Introducing Data-Subject Access Request (DSAR) Voice Forms.  Given the ever-increasing need to handle data-subject access requests, DSAR Voice Forms allow end-users to dial a phone number to submit data subject access requests rather than filling out the web form itself. Data subject access requests are a consumer tool provided under European and California privacy laws. Companies covered by the EU General Data Protection Regulation or the California Consumer Privacy Act have to provide users with the information you've collected about them and how you're using it. Generally, those requests come in written form.

Specifically, the GDPR says data subjects should be able to exercise their right to data collected about them and should be able to "exercise that right easily and at reasonable intervals." They should have the right to "know and obtain communication" from a company about why their data is being processed, who has access to it, the logic on which the data is being processed and "at least when based on profiling, the consequences of such processing." 

Under the GDPR, companies can't charge a fee for a DSAR, and they have to be filled within 30 days of receipt.

But the California Consumer Privacy Act goes further and requires businesses that have an offline component to maintain a phone line to accept data subject access request submissions. Under the CCPA, DSARS must be fulfilled within 45 days of receipt, compared to the GDPR's one-month timeframe.

Osano's Voice Forms allow for a voice-to-text translation, automating the DSAR submission process. Transcripts and recordings will be accessible alongside submissions, so our customers can ensure the accuracy of requests. 

Why does this matter?

Call centers and call agents are a significant expense. They require companies to hire and train agents and have enough agents on call at all hours to handle incoming requests. That's why companies often outsource call center agents. The DSAR Voice Form means Osano customers can cut costs by eliminating the need for a live, trained agent.

DSAR Voice Form helps you:

  • Comply with GDPR rules on data subject access requests
  • Comply with California privacy law rules on data subject access requests

Product(s) Affected

Subject Rights Management



First-Layer Categories

posted on May 10, 2021

Greater customization in how a user interacts with the consent banner can be accomplished with the implementation of first-layer category control.


Cookie rules in the U.K. and the EU require sites with European visitors to display the purpose and categories of the cookies they'll drop if users accept. There are two "layers" involved when it comes to most cookie compliance laws.

  1. The first layer is the immediate interaction with the user, the very familiar box that asks them to "accept" or "decline" cookies.
  2. The second layer is user-initiated, in the event they want to know more about how their data will be collected and used. 

By default, Osano uses a popup containing all opt-in categories for users accessing sites from the EU and other select locales. By toggling First-Layer Categories to "off," the popup becomes a "Manage Preferences" display.  A second-layer "drawer" allows users to view and consent to the site's cookie categories (i.e., cookies used for marketing, personalization, analytics). 

Why does this matter?

For Osano customers in the EU and the European Economic Area, the First-Layer categories feature offers more flexibility over how the Osano consent banner appears to customers. Sites may experience higher opt-in consent rates with First-Layer Categories off.

Product(s) Affected

Consent Management



3 4 5 6 7
of 7
The managed data privacy platform

Get started with Osano today

Explore Osano

What's New at Osano

Introducing Osano Privacy Legal Templates

Now, with Osano Privacy Legal Templates you can get started faster by leveraging templates generated by our global team of privacy experts.

Learn more

Introducing DSAR email intake

Capture data subject rights requests with the convenience of email and the efficiency of a dedicated intake form.

Learn more

New reworked DSAR and discovery

We've reworked and redesigned Osano Subject Rights Management and Data Discovery, unifying them into a single, seamless experience and creating automation to save you time.

Learn more

Stay GDPR compliant under new French ruling

Privacy regulators at the CNIL in France recently declared that Google Analytics violates GDPR. Osano’s new block list feature can disable Google Analytics in France to keep you compliant while allowing you to use Google Analytics in regions where it is still legal.


New in May 2022: DSAR conditional fields, 28 new integrations, and more!

Customize DSAR forms with conditional fields, serve consent banners in additional languages, use 28 new integrations for Data Discovery, and more! Check out our latest product announcement blog for demos, links, and more information.


View more product updates

Osano product & engineering teams have been hard at work. View the full list of all product updates.

View Product Updates