Manage subject rights requests at scale with Microsoft Priva

Privacy is of increasing importance to our customers. In addition to the well-known European General Data Protection Regulation (GDPR), privacy regulations are emerging in nearly every region with more than 70 percent of countries now having data protection and privacy legislation.¹

As the number and scope of privacy standards have proliferated, privacy becomes an expectation of customers and stakeholders to enable a trusted business. Many of the large organizations I work with are mature in their privacy compliance processes. Some have had to be GDPR compliant since 2018. Even those without GDPR compliance obligations saw GDPR as a watershed event, recognizing that broader privacy regulation was coming. Organizations have now shifted their focus from privacy compliance to privacy leadership in order to provide value to their customers and their brands. To assist organizations on their privacy journey, we introduced Microsoft Priva in October 2021 to help customers safeguard personal data and respect privacy rights.

The concept of respecting an individual’s privacy rights has been emphasized by the Organization for Economic Cooperation and Development (OECD) as “The Individual Participation Principle” in the Fair Information Practice Principles (FIPPs) since 1980.² The principle includes an individual’s right to access and control their own data. In some cases, they have the right to have this data corrected or deleted. Since GDPR went into effect, the concept has become more mainstream, known as data subject requests or subject rights requests. In the United States, 12 states have laws passed or active bills that mandate a subject’s right to data access.³

Subject rights requests (SRRs) management is time-consuming and costly

Responding to subject rights requests (SRRs) can be resource-intensive, costly, and difficult to manage. There are challenging time frames for a response, with GDPR mandating a response time of 30 days and California Privacy Rights Act (CPRA) allowing 45 days. More than half of organizations handle SRRs manually, while one in three has automated the process.⁴ According to Gartner®, most organizations process between 51 and 100 SRRs per month at a cost of more than USD1,500 per request.⁵ As more privacy regulations come into force and the public becomes more informed about their rights, the volume of SRRs is expected to grow substantially, impacting organizations’ resources even further.

Figure 1. Approximately one in three organizations have partially automated subject rights requests.

Scaling SRR management is challenging

To process an SRR, an organization must verify the data subject to make sure that the individual is who they say they are and has the rights to the information, then collect the information, review, redact where appropriate, and provide the response to the requester in an auditable manner.

Most organizations have processes in place for SRR responses but rely on email for collaboration, eDiscovery tools for search, and manual reviews to identify data conflicts like a file containing multiple people’s privacy relevant data. These processes can work but they don’t scale. They also create data sprawl and additional security and compliance risk.

Manage at scale and respond with confidence with Microsoft Priva

To help organizations deal with these challenges, Microsoft has created Microsoft Priva, a privacy management solution that helps safeguard and respect privacy while streamlining the process for responding to SRRs.

Microsoft Priva SRRs helps gather a subject’s data from the Microsoft 365 environment automatically, including emails, messages, documents, spreadsheets, and more that contain the requestor’s personal data. It then detects and flags conflicts like the personal data of others or confidential information included in the collected files. Automated data collection and detection can help you capture conflicts more accurately to avoid any data leakage.

Additionally, the solution allows collaboration in a protected platform for stakeholders to review, triage, and redact collected files in their native views. Unlike other solutions that might only provide you with a report of file paths, Microsoft Priva can bring the files to you and save you time and effort manually copying and pasting the file paths in your browser, or emailing and messaging files to others to review.

Figure 2. Review, triage, and redact collected files in their native views when multiple people’s data is detected.

Privacy admins can also leverage Microsoft Teams and Power Automate, integrated with the Microsoft Priva solution, to work with HR, legal, and other departments in an efficient, compliant, and auditable way. All your collaboration data is centralized in one platform that ensures security and compliance along the way. Microsoft Priva SRRs helps organizations manage SRRs at scale with confidence while avoiding personal data sprawl.

Figure 3. Microsoft Priva SRRs helps manage requests at scale and with confidence.

The solution dashboard provides visualization of SRR metrics and the ability to filter and manage requests to completion. This establishes to internal stakeholders and regulators that SRR responses were made with compliant processes in the required timeframe. 

Figure 4: Microsoft Priva SRRs helps provide insights on SRR progress and show trends over time.

Integrate with your privacy solutions

Many organizations are using other tools to manage SRRs. We want to bring the value of Microsoft Priva and its native integration with Microsoft 365 to them as well to provide a better-together solution. Part of this is to integrate Microsoft Priva with the solutions of other software vendors and customers’ homegrown solutions through our Microsoft Graph subject rights request API. The API allows integration with privacy independent software vendors (ISVs), like OneTrust, Securiti.ai, and WireWheel, to automate the SRR handling process and provide a response that encompasses the organization’s entire data estate.

For example, an organization can use the API to send a request they received in their homegrown application to Microsoft Priva, which then collects the subject’s personal data automatically, enables collaboration to review and redact files, creates a link to the data package, and sends it back to the homegrown application through the API. The organization then can combine all the reports and data from various environments together to respond to the requestor.

Figure 5. Microsoft Graph API enables organizations to leverage Microsoft Priva along with their existing privacy tools.

Learn more

We are excited to help ease the complexity of SRR management. To learn more about how to manage SRRs at scale, download the e-book Five tips from Microsoft to automate your SRRs or join our webinar on April 5, 2022.

Microsoft Priva solutions are generally available for customers as an add-on to all Microsoft 365 or Office 365 enterprise subscriptions. You can try out Microsoft Priva SRRs for 90 days or create up to 50 subject rights requests (whichever limit expires first) at no cost.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹UNCTAD Data Protection and Privacy Legislation Worldwide

²OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, OECD. 2013.

³US State Privacy Legislation Tracker, Taylor Kay Lively, iapp. March 3, 2022.

⁴IAPP-EY Consulting and Annual Privacy Governance Report for 2021, iapp, EY. 2021.

⁵Market Guide for Subject Rights Request Automation, Gartner. November 2021.

READ MORE HERE