Data Subject Rights Management

Full Lifecycle Automation from Request Intake to Fulfilment and Record Keeping

View Pricing Request Live Demo

Relevant GDPR Articles

  • Article 12: Exercise of the Rights of the Data Subject
  • Article 13, 14: Right to Be Informed
  • Article 15: Right to Access
  • Article 16: Right to Rectification
  • Article 17: Right to Erasure (“Right to be Forgotten”)
  • Article 18: Right to Restriction of Processing
  • Article 19: Notification Obligation
  • Article 20: Right to Data Portability
  • Article 21: Right to Object
  • Article 22: Object to Automated Individual Decision Making
  • Article 7(3): Right to Withdraw Consent

Data Subjects Rights Trigger the Highest Penalties and Risk of Class Actions

The General Data Protection Regulation (GDPR) outlines nine distinct rights of data subjects that must be received, fulfilled, and documented by organizations. The complexities lie in the varying types of requests, finding the data to fulfill the request, the numerous exception cases when the request does not need to be fulfilled, as well as the documentation, response times, extension requests, identity validation, and security requirements for how requests are fulfilled.

Infringements of data subject rights trigger the highest penalties (4% of global revenue or 20M EUR). In addition, data subjects also have the right to receive compensation for damages suffered. What’s worrisome is that these claims are not subject to the penalty cap in GDPR; they are in addition to the penalties and are to be proportionate to the harm to the data subject.

OneTrust End-to-End Workflow Automation and Record Keeping Solution

End-to-End Workflow

To comply with the new data subject rights set forth in the GDPR, organizations should make it easily accessible for data subjects to submit requests. OneTrust provides a standardized way for privacy programs to receive requests and manage them in a centralized system.

OneTrust provides organizations with the ability to tailor a branded web form – linked from your company’s privacy policy web page – as well as the ability to receive notification of a submitted request, validate the identity, and automatically file an extension if the one-month deadline is approaching. When the request is fulfilled, the organization must securely transmit the data to the individual, link it to the underlying data map to efficiently fulfill the request, and generate the proper documentation and evidence should a regulator inquire about the request.

Request Intake via a Fully Customizable Portal

Create a Request Intake Web Form and Portal

Create a Request Intake Web Form and Portal

Build and configure web forms to capture data subject requests based on regulation-specific requirements.

Integrate the Web Portal Into Your Websites

The OneTrust-generated web forms can be fully tailored and integrated into your website with a single line of code.

Meet Your Brand Needs with Complete Customization

Ensure the end-user experience is consistent with your organization’s brand by adjusting the language, logo, color, and content of your web portal and email communications.

Out-of-the-Box Multilingual Capabilities

Out-of-the-Box Multilingual Capabilities

The OneTrust privacy research team has developed various data subject request templates with default settings, available in multiple languages. Start from one of these or build your own in the easy-to-use, drag-and-drop interface.

Enable Data Subjects to Select Their Preferred Language

When submitting a request, enable data subjects to select their preferred language for seamless request fulfillment routing. Translate all email communications into 45 languages.

Hosting Flexibility: EU Cloud, US Cloud, or On-Premises in Your Datacenter

Hosting Flexibility: EU Cloud, US Cloud, or On-Premises in Your Datacenter

Containerize and isolate your data in the residency location or data center of your choice. Migrate between cloud and on-premise at any time if your requirements change.

Automated Assignment Workflows

The process of receiving and fulfilling requests requires automating workflows for the privacy team, business users, and data subjects. OneTrust allows you to define the end-to-end subject request process from assignment to review and approval.

Validate the Requestor’s Identity

Validate the Requestor’s Identity

Validate the data subject’s identity through internal systems, API integrations, customer service processes, and third-party validation services.

Require Attachments for Identity Validation

With OneTrust, organizations can require that data subjects attach identification documents with requests to help validate identity and prevent fraud. Attachments are scanned for viruses and accompanied with reCAPTCHA.

Assignment Routing Workflows

Assignment Routing Workflows

Assign main responsibilities to privacy offices, IT teams, or business users based on the type of request and where the data resides.

Automatic Task and Sub-Task Assignment

Configure sub-tasks for relevant business and IT owners when a request is submitted. Sub-tasks help ensure each detail of a request is completed in a timely fashion by the appropriate party.

Track Deadlines and Automatically File an Extension

Track Deadlines and Automatically File an Extension

Document and communicate the justification if more time is needed to fulfill the request, and use the OneTrust platform to automatically file the extension if the deadline is approaching.

Control the Access, Edit, and Advancement of a Request

Leverage full control over administrative roles and permissions to ensure requests are adequately reviewed and approved.

Finding the Data and Fulfilling the Request

Validate the Requestor’s Identity

Link to Underlying Data Map

Search within the data inventory and map within OneTrust - or from external sources - to easily find, modify, or erase subject data.

Integrate with IT Service Management Tools

Integrate with third-party service management tools like ServiceNow or BMC Remedy to identify, track, and fulfill requests sent to IT teams.

Consolidate Requested Information from Multiple Sources

Use OneTrust to consolidate requested information from multiple disjointed approaches into a singular, unified message to the data subject.

Auto-Delete Non-Essential Data with Retention Policies

Auto-delete any attachments containing personal data after a request is adequately fulfilled.

Securely Communicate Responses to Data Subjects

Secure Messaging

Secure Messaging

OneTrust’s secure messaging portal transmits a notification to a data subject via encrypted channels to protect the communications and information being provided.

Two-Factor Authentication

Enable two-factor authentication for an additional layer of verification and security.

Read Receipts and Two-Way Collaboration

Track and notify when your responses are read. Track follow-up requests and messages linked back to the same data subject.

Auto-Revoke Access to Data Subject Portal

After a data subject request is fulfilled, cut off end-user access to the data subject portal to prevent confusion or abuse.

Compliance Reporting, Trends, and Analytics Dashboard

Report on Compliance

Report on Compliance

OneTrust helps you maintain a complete record of data subject request activities to demonstrate compliance with data protection regulations. Capture data subject contact information, details of the request, when and how the request was completed, as well as your response to the request.

Full Audit Trail of All Changes

View the complete lifecycle of a request, including auditable details of every data subject interaction. Generate a full audit report of each data subject request.

Calculate Costs

Calculate Costs

Granularly track the raw cost of fulfilling each request to understand where further automation investments may be necessary.

View Trending Information in Visual Dashboards

View Trending Information in Visual Dashboards

Quickly view and manage data subject requests in a centralized dashboard. OneTrust provides full visibility to monitor the volume of requests, fulfillment status, and any aging requests or outliers.

OneTrust Data Subject Rights Management Product Datasheet

Download Now

Why OneTrust Data Subject Rights?

  • Insightful metrics into request costs and trends for clear value and internal ROI metrics
  • Deep regulatory guidance-based privacy research, reporting, and built-in templates
  • Self-service deployment or additional support from the OneTrust implementation team
  • Fully scalable solution for small and medium businesses to large multinational enterprises
  • Multi-lingual product translated by OneTrust’s in-house, privacy-trained localization team
  • Flexible and modular pricing structure to meet program maturity and budgetary uncertainties
  • Out-of-the-box ready solution with a highly tailorable and customizable platform
  • Deployment flexibility in EU cloud, US cloud, or on-premises with the ability to migrate
  • Available as stand-alone module or as part of OneTrust’s comprehensive and integrated platform