Managing DSR
This page will guide you through Intempt’s support for handling DSRs for both GDPR and CCPA.
Both the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) define that consumers/data subjects have the right to view, update, extract, and delete data that controllers & businesses have saved on them. When a consumer/data subject exercises their rights, they create a data subject request (DSR).
Roles
The GDPR defines three entities involved in data collection, with different rights and responsibilities:
- Data Subject - A person whose data is gathered. Generally, a user of your app/service.
- Data Controller - An entity that gathers data. Intempt provides tools for Data Controllers to fulfill their obligations under the GDPR.
- Data Processor - An entity that handles or stores data for the Data Controller. Under the GDPR, Intempt acts as a Data Processor.
Similarly, the CCPA defines:
- Consumer - Similar to the GDPR’s definition of data subject, geographic requirements notwithstanding.
- Businesses - Similar to the GDPR’s definition of data controller.
- Service provider - Similar to GDPR’s definition of data processor.
Rights of Data Subjects
The GDPR defines some rights of Data Subjects, including:
- The right to have data concerning them erased. Also known as the ‘right to be forgotten.’
- The right to access data concerning them.
- The right to portability of data concerning them for transfer to another controller.
The CCPA defines that consumers have rights of:
- The right to request the data saved concerning them.
- The right to request any data collected from the consumer be deleted.
OpenDSR Request Framework
Intempt is a collaborator on the OpenDSR framework, which provides a simple format for Data Controllers and Data Processors to collaborate towards compliance with requests from their Data Subjects to honor the above rights. This framework was formerly known as OpenGDPR; it was renamed in early 2020 to include CCPA support.
To learn more about OpenDSR, read the full spec on the Github page.
Intempt's OpenDSR implementation handles three types of DSRs: “Erasure”, “Accessibility” and “Export”.
General request workflow
Each DSR follows the same basic workflow:
- The data subject submits a DSR to the data controller (for example, the user sends an email to the company requesting to delete his data)
- The data controller must log, authenticate, and verify the request. If you choose to accept the request as the data controller, you need to forward a request to Intempt in its role as a data processor. To do that, you need to go to Privacy Center> Data subject requests and select "Submit request".
Next, you need to provide the following:
a. The type of request: “Erasure”, “Accessibility,” or “Export.” (see a section below for a detailed explanation of each type)
b. The type of regulation (GDPR or CCPA)
c. One or more identities for the data subject (user identifier or an email address)
- On receipt of the request, Intempt sets its status to “Pending” and creates a task to complete the DSR request. You can check the status of the request at any time.
- When the request is complete, Intempt updates the status in the console. For Erasure requests, the table confirms that the request has been fulfilled. A download link is provided for access and Portability requests, which remain valid for 7 days.
Supported Request Types
Erasure
After Intempt receives an erasure request, a 7-day waiting period starts. This waiting period allows you to cancel a pending erasure request before initiating it.
After the 7-day waiting period, any pending erasures are initiated. Once begun, the erasure may take up to 14 days to complete.
Good to know
Most privacy regulations require an acknowledgement of a request within an initial time frame. Fulfillment timeframes for requests are typically more generous as they may require follow-up to validate additional details. We recommend consulting the requirements of your privacy regulation to understand your obligations.
What data is deleted?
In response to a data subject erasure request, Intept deletes all the data stored about the user, including all events and attributes.
A delete request will also not prevent additional data concerning the subject from being received and processed by Intempt. If the data subject wishes to prevent all future data processing, they will likely need to take additional steps, for example, ceasing to use your service/app.
Accessibility / Export
Accessibility and Export requests are treated the same way, as follows:
- Intempt identifies the user that matches the request.
- Intempt searches for data related to the user, including the user attributes and events.
- Intempt compiles the data into a single text file and adds a link in the Data subject requests table.
Updated 7 months ago