Edit

Share via

Build request forms and templates for subject rights requests for data beyond Microsoft 365 (preview)

  • Article

There are two ways to create a new subject rights request for data beyond Microsoft 365 (preview). One way is through a request form that your organization creates and publishes so that data subjects can make a request directly to you. The other way is a manual request creation by a user in your organization.

Regardless of how they're created, all requests rely on a template to outline the requirements for how to fulfill requests. Your organization builds a template using a guided process to fill in details for an individual request. The privacy officer is most likely the person in your organization who will create both the request form and the template.

Important

We recommend building request forms to explore capabilities and functionality, but waiting until the product is generally available to host a request form on an external website.

Build a template

Templates allow your organization to create the requirements for how it fulfills subject rights requests. A template determines fulfillment requirements such as response deadlines, associated intake forms, and storage and workflow requirements.

Follow the instructions below for building a template:

  1. In the new Microsoft Priva portal (preview), select Subject Rights Requests.

  2. In the left navigation, under Data beyond Microsoft 365, select Request forms and template.

  3. On the Templates tab, select New. The New template builder opens.

  4. Enter basic details for the form including a Name, Description, and one or more Contacts, who own requests created using this template.

  5. Enter a deadline for the request’s fulfillment, then select Next.

  6. At Integrations, connect the template to a request form you’ve already created by selecting a form from the Request form dropdown menu. When done, select Next.

    Note

    Only one request form can be connected to one template and not to any additional templates.

  7. The Export package field identifies where the export package for the request will be stored. While this solution is in preview, this field defaults to your tenant. Select Next.

  8. At Workflow, the Identity validation selection defaults to the sending of an OTP to the data subject. You can also select Manual identity validation task to create and assign a task to a user in your organization to verify the data subject’s identity in your data assets. (If the task result is that no data is found for the data subject, you can stop the request at this point and reply to the data subject that no data has been found, and you can close the request.) When done, select Next.

  9. At Review and finish, review the details of your template. When done, select Save and close.

The form builder closes and you arrive at the details page for the form you created. Select Submit in the upper right corner. Once the template is validated by the system, it can be published.

Select Publish in the upper right corner. When a template is published, it means that the template is ready for use within the system. It doesn't mean that the template is published somewhere publicly.

Note

Once you publish a template, a Privacy portal URL is hyperlinked on the template’s details page. This is the link to the request form that the template is connected to.

View templates

All templates are listed on the Templates tab of the Request forms and template page. Select a template name from the table to see the template’s details page, which contains all the parameters outlining how a request using the template is processed.

Build a request form

A request form is a publicly available web form that a data subject can fill out and submit to your organization to make a subject rights request. Using a simple guided process, you can build your form with the questions needed to fulfill the request and customize it with your organization’s branding.

The combination of information submitted in the request form is used to look for and identify the data subject in your organization’s data locations. There are two forms of validation when a request form is submitted:

  1. A one-time PIN (OTP) is sent to the email address provided on the request form, to validate that the email account is active and owned by the individual who submitted the request form. Once the data subject receives and enters the OTP in the Identity Validation window that appears on your request form, their identity is validated and the search for the data subject’s information in your Data Map begins.

  2. You can create a manual identity validation task to confirm the data subject’s identity in your organization’s data

Building a request form is required when you use subject rights requests for data beyond Microsoft 365. However, you don’t need to publish it or make it publicly available. Establishing a standardized process for creating a request, whether initiated by an external individual or internally by a user in your organization, can help your overall request fulfillment process run more efficiently.

Follow the steps below to build a request form:

  1. In the new Microsoft Priva portal (preview), select Subject Rights Requests.

  2. In the left navigation, under Data beyond Microsoft 365 select Request forms and template.

  3. On the Request forms tab, select New. The New request form builder opens.

  4. Enter basic details for the form including a Name, Description, and one or more Contacts, who own the request that comes from the intake form.

  5. At Company privacy contact, enter the email address of your organization’s privacy contact.

  6. At Company privacy statement, enter the secure URL for your organization’s privacy statement. The URL must begin with https://. Then select Next.

  7. At Layouts, select the intake form consent model, then select Next.

  8. At Layout properties, enter the company name and a URL to the logo. The URL must begin with https://.

  9. At Questionnaire, we provide suggested questions for the form. You can customize the questions and decide whether to make them required. Use the New dropdown menu to add more questions for helping to identify the data subject in your data; for example, phone number or date of birth. Select Classification to add a question to provide any of the classifications or sensitive info types present in the Microsoft Purview Data Map (see the list of supported classifications). Then select Next.

  10. On the second Questionnaire page, enter text for the Introduction and Conclusion sections, and text for the submission button. Then select Next.

  11. At Submission success, enter the text that a form submitter will see when their form has been successfully submitted, then select Next.

  12. At Submission failure, enter the text that a form submitter will see when their form failed to submit. The submitter will need to reenter their information on the form and resubmit it.

  13. At Preview, review your form, and make any edits by selecting Previous and navigating back to the necessary step. When you’re satisfied, select Finish.

The form builder closes and you arrive at the details page for the form you created. The next step is to mark the request for as complete by selecting Mark complete in the upper right corner. A requests form must have a Complete status before it can be associated with a template and used to collect subject rights requests.

The next step is to define the scope of how the public request form will be processed within the organization. This is done by using templates.

Next steps

Learn how to create and manage requests.

Microsoft Priva legal disclaimer