Microsoft Priva Subject Rights Request is a privacy solution designed to help you respond to Data Subject Rights request in an automated, secure, and auditable way. As of today, Priva searches for data stored in your Microsoft 365 online environment therefore when creating a request the search will run through the Microsoft 365 environment, give an estimate of the data to be fetched, review the data, and even generate a report for the organization and the data subject.
Microsoft Priva Subject Request supports four types of requests:
- Data Access- provides a summary of content containing personal data related to the data subject.
- Data Export- provides a summary and exported list of content containing personal data related to the data subject.
- Data Deletion- facilitate the deletion of content related to the data subject.
- Data tagged for further action – tag files for follow-up actins like data updates on identified items.
How to create a request.
Navigate to compliance.microsoft.com and sign in with your credentials then select “subject rights request” on the left to open up the subject rights overview page. To create your first request, select create a request from the top right corner.
This will open up options to select the type of request you want to create, select the preferred request type and click on get started to proceed.
On the Data deletion tab that opens, select the relationship of the data subject to the organization.
Proceed to input the details of the data subject and click create when done to create the request.
When you create a request, it goes through several stages as below.
- Data Estimate: Before retrieving the actual data, you are first presented with an estimate of the data that will be fetched.
- Retrieve data: depending on the size of the data to be retrieved, it might take some hours to retrieve the data.
- Review data: once the data has been retrieved, you can now review the data fetched to decide which ones relate to the data subject.
The items marked as priority items shows items that you may want to start with when doing the review because they may contain sensitivity labels, or these items may have been marked as records which are typically no deleted due to the record retention settings.
You can add more collaborators to review the results and ensure only relevant data is fetched and even redact some data not relevant to the data subject.
When there is data to be deleted, the next stage will be for the approvers to review the deletion request before proceeding to the next stage.
- Generate Reports. Once the review stage is done, reports will be generated which includes an audit of the activities performed and a report for the data subject.
- Close the request. After all the activities are complete, the request is closed to indicate that all the required steps have been completed.