Reading time: 10 minutes

Overview

This is the standard GDPR workflow implemented in the system, your organisation may have chosen a different set of steps or otherwise customised the process. Don't be alarmed if your system shows different names of the steps or is otherwise different.

The basic Request workflow has five stages: Created → Undergoing Review → Tasks Processing → Finishing → Completed and optionally Canceled.

To start a new Request search for the data subject (individual person) who initiated the request. More on how this is done in Searching and Adding Data Subjects.

Creating the Request

In the Personal Data Overview for the desired individual click on the NEW REQUEST button and choose one of the request types, the basic workflow is identical for all of them.

You can see the new request immediately in the Request history of the person (bottom of the same page - Personal Data Overview).

Review of the Request

This step is performed by the Data Privacy Officer, who reviews all records that may contain personal information for the subject and decides if they should be Erased, Masked or Kept. The Review step can be initiated only from the Request detail, this can be accessed directly from the Request history of an individual by clicking on the "REQUEST DETAIL" or from the Data Subject Requets view, where all Requests can be accessed.

The Data Privacy Officer starts the review by clicking on the REVIEW REQUEST button as indicated above.

In next step DPO choose annotations which would be processed by ticking the checkboxes next to annotations. After finishing with selecting DPO need to click on BEGIN RECORDS REVIEW. In this step DPO can also defer request completion time. If he decides to defer request it's necessary to leave a comment for performing this action.

When administrator start reviewing, specific documents containing selected annotations appear. The Data Privacy Officer previews each Record by clicking on the Record identification in the list (on the left) and decides based on the preview (on the right). Then selects whether the personal information needs to be deleted, masked, kept or ignored. If there are multiple documents with selected personal data, a single step can be selected for all of these documents (ALL ERASE/KEEP/IGNORE).

No action is automatically performed based on this Marking. The system generates a Task for the responsible Data admin to perform the action in the source system.

After the Data Privacy Officer marks all the Records and clicks on the FINISH REVIEW button, the Request moves to the Tasks Processing state, where it stays until all the tasks created are completed.

Tasks Processing

Each task generated based on the review of the Request must be manually performed in the source system by the responsible Data Admin. By refreshing the page (F5) you can see request date creation, request received date and deadline for processing the request (usually 30 days). The Data Privacy officer can check in the Request detail (accessed from the Personal data overview history or from the Requests view) the current status of all tasks and mark them as High Priority to speed up the processing.

Data Admins can perform the tasks from the Tasks view please refer to the specific Tasks view page to know more about this view.

The responsible Data Admin clicks on the button with the corresponding name for the action (example above - erasure task created based on the review from previous step).

Record specific pane opens with all information the Data Admin needs to perform the task. The exact content of the pane is fully dependant on your organisations Data sources and may be different from the example below. The Data Admin confirms he completed the action in the source system by clicking on the COMPLETE button. It is his full responsibility to make sure the Task was performed.

This was the only Task generated by the Request from previous steps. When all Tasks from the request are Completed the Request moves to the Completed stage.

Finishing Request

Data Privacy Officer can see date when request was created and the date it was completed.
In this step, justification text is available for download. All types of requests have its own templates that you can edit. The content and form of the PDF is determined by your organisation’s administrator.
After editing the text you need to save it and then download it in PDF format. In some types of requests it is possible to download request data as XLSX. Then you can complete whole request.

Downloaded PDF file

You can set the language (EN or CZ) of downloaded PDF and select which personal data will be visible in this file. You can set which data are in the list in Administration - Personal data storage. All enabled data will be visible in this list.

Completed request

Completed request can be accessed from the Personal data overview history or from the Requests view.

Canceled and Declined Request

The Data Privacy Officer can CANCEL or DECLINE the request at any step. For these actions Data Admin has to leave a comment to confirm procedure. When Data Admin cancel or decline request he will find this information in request detail which can be accessed from the Personal data overview history or from the Requests view. Custom justification text can be downloaded before Declined request is completed.

Next topic: Cloud test environment