Edit

Share via


Workflow of subject rights requests for data within Microsoft 365

Note

This article provides guidance in fulfilling subject rights requests for data within your organization's Microsoft 365 environment. To learn about subject rights requests for data beyond Microsoft 365, get started at Learn about subject rights requests for data beyond Microsoft 365 (preview).

Subject Rights Requests for data within Microsoft 365 incorporates automation and robust workflow tools to assist you at each stage of request fulfillment. Once you create a request in the system, we take on the work of identifying and collecting data and provide tools to facilitate collaborative analysis.

When you create a request, the information you provide is used to look for matches about your data subject in your organization’s Microsoft 365 environment. Matched items are complied for you to review, make choices about what to include, and redact information as necessary. Multiple users can collaborate on these steps within the Subject Rights Requests interface. The details page of each request provides status on the progress stages and guidance about the next steps to take.

Key capabilities

Immediate kickoff of data evaluation

Priva uses the foundational capabilities of Microsoft 365 to identify personal data types in your organization's data. As soon as you create a request, the solution immediately gets to work identifying the files, emails, sites, and chats that contain the data subject's personal data. Content items are retrieved within a few hours, depending on the amount of data. If we expect to find a high volume, we provide you the chance to refine your search parameters before we collect the data.

Help in prioritizing content to review

You might have to review a large amount of data collected for the data subject's request. We provide insights on the details screen of each request and suggest which items to prioritize for review. Priority items include files that might be confidential or items containing more than one person's personal data. These items highlight content that might need redaction or other special handling considerations.

Built-in Teams collaboration and editing tools to facilitate data review

As soon as you create the request, a dedicated Teams channel is automatically set up for that request. Adding relevant stakeholders as request collaborators invites them into the chat to help analyze and make decisions about the items retrieved. Using built-in redaction tools within the request, collaborators can mark up files in a review screen next to the list of items. If certain content requires a further follow-up action, you can apply tags defined by your organization to help identify the items and take the action at a later time.

Automatically generated reports

After you're done reviewing the data and deciding what to include for the request, we generate reports for you. The reports include any relevant data package you'll send to the data subject, audit logs, and a summary of tagged files so you can complete any necessary follow-up actions.

Extending and integrating with your subject request strategy

Extend the automation capabilities by using one of the built-in Power Automate templates to set up flows for common tasks, such as setting calendar reminders or creating records of your requests in ServiceNow. You can also use the Microsoft 365 Subject Rights Request API to introduce automation to your existing subject rights strategy.

Progress stages for requests

Each request goes through multiple stages. Some stages progress automatically, and other stages are advanced manually after the completion of certain steps like reviewing files.

  • Data estimate: Before retrieving the data, Priva estimates the amount of data it expects to find. Depending on the amount of data, the request may or may not move automatically to the next stage of data retrieval. You can set a request to pause at the estimate stage before collecting data; learn more at data estimate and retrieval.

  • Retrieve data: All the files, emails, chats, images, and other content items are pulled together. When this stage is complete, the request moves automatically to the next stage of reviewing data. Learn more at data estimate and retrieval.

  • Review data: Collaborators review all the data collected, decide which ones pertain to the request, and perform tasks like redacting content and adding case notes. Learn more about reviewing data for a subject rights request. After finishing data review, you manually advance to the next stage to generate reports.

    Note

    Delete requests involve an additional approval substage at the review data step. See details at Create and manage a delete request.

  • Generate reports: When data review is done, a user manually advances to this step. Priva generates the final reports, which include the data package to share with the data subject, and internal reports for your organization's records. Learn more about generating reports.

  • Close the request: When all work is completed, close the request to indicate that it's considered completed. Learn more about generating reports so that you can fulfill and close the request.

Understanding the request details page

Depending on the portal you're using, open a request's details page by navigating to one of the following locations:

  • Sign in to the Microsoft Priva portal (preview) and select Subject Rights Requests. Under Data within Microsoft 365 on the left navigation, select Microsoft 365 requests, then select a request from the list to open its details page.

  • Sign in to the Microsoft Purview compliance portal and select Subject rights requests on the left navigation. Select a request name from the list to open its details page.

The request details page provides details about the request’s properties, the search results, and the request’s status. The details page is your hub to work and collaborate on managing the files found, creating reports and exports, and completing the request. Find details about what's on each tab of the page:

Overview tab

The Overview tab of the request details page provides details about the request, a progress indicator showing your current step, and key information about the data found. This page has individual status cards explained below.

Details

The Details card displays basic information to orient you to the request, such as its deadline, the creation date, the description, and related privacy regulation.

Progress

The Progress card list each step in the process: Data estimate, Retrieve data, Review data, Generate reports, and Close the request. A filled-in blue circle next to the step indicates the step you're currently on. A checkmark inside the blue circle means the step is complete. A blank, empty circle means the step hasn't started yet.

Data estimate summary

The Data estimate summary card displays when the request is paused at the data estimate stage. It shows the location and number of items that your search is expected to retrieve.

Total number of items found

The Total number of items found card displays the number of content items found and their locations in Microsoft 365.

Priority items to review

The Priority items to review tile shows items that you may want to prioritize as you start your data review. The tile displays a count of items that belong to the following categories:

  • Confidential: These items have a sensitivity label applied to them. For example, a Word document with a "Highly Confidential" label.
  • Multi-person data: These items contain the personal data of more than one person. If you want to include these items as part of the final data package, you need to redact the irrelevant data in the files. In order for Priva to identify items with multi-person data, your organization needs to set up data matching for subject rights requests.
  • Record: These items have a retention label applied. If you include any of these items as part of a delete request, they won't be deleted as part of the delete workflow.

How to locate your priority items:

First, ensure you've enabled your view of them in your Data collected table of items by following the steps below:

  • On the Data collected tab, select Customize columns at the top of the list of items.
  • On the Edit columns flyout pane, place a check next to Priority types.
  • Select Apply. Your list of items will now have a Priority types column.

Now you can identify the priority items and find them by sorting the Priority type column to group similar types.

Data collected tab

When all items matching your search settings have been identified, they're collected and presented on the Data collected tab. Next to the list of items is a preview screen for reviewing each item, making redactions, and marking items as include or exclude. Read more details about the data review and collaboration step.

Notes tab

The Notes tab allows collaborators to enter notes about the work done on the request. These notes are visible to everyone who works on the request, but won't be included in the final report or otherwise shared with the data subject.

Collaborators tab

The Collaborators tab displays all the users who have been invited to collaborate on the data collected, and any associated Teams channel for the request. The request's creator is automatically listed as a collaborator. Invite new collaborators by selecting the Add collaborator command and entering a users's name to select them from a list. Learn more details about collaboration for data review.

Reports tab

The Reports tab displays all the reports that are automatically generated when you advance to the Generated reports stage. Reports are separated into two categories: reports for you to share with the data subject, and reports intended for your organization's internal use. Get details about working with reports.

History tab

The History tab summarizes top level events for the request, including progress stage changes and aggregates for the number of items included, excluded, redacted, and tagged.

Next steps

Visit Create a subject rights request to learn how to get stated with your first request.

Microsoft Priva legal disclaimer