Processing End-User Subject Access Requests (SAR)


When you receive an end-user subject access request (SAR) to export or delete data that contains personally identifiable information (PII), you can use Activate to configure the request parameters and discover documents from your data sources that match PII belonging to the end-user.

Step 1: Gather information from the end-user

Collect information from the end-user making the request, including the following:

  • Type of request (export or delete).

  • End user's email address.

  • The types and specific values of PII to discover for the request.

Step 2: Create a Project and Add Data Sources

  1. Create projects in Sensitive Data Governance to define the scope of the data to be considered for requests.

    A project allows you to select an inventory to use for compliance-related requests.

  2. Add data sources to the project.

    When creating a project, you must also specify the locations from inventory assets that can be searched (called data sources) as part of the request.

Step 3: Create and Configure the Request

  1. Create a request to manage individual compliance-related export or delete requests from end-users.

    A task is the entity where you input information about an individual request, such as the requesting user's information, the type of request (export or delete data), and the values for each type of PII that you want to discover (such as email addresses, credit card numbers, and social security numbers). You can also redact all of the PII in the documents that are returned by the request.

  2. Configure the request to associate project data and assign reviewers and approvers to the request.

    After you create the request, documents from the project data sources that match the user's PII are added to the request queue. Each document in the queue must be reviewed by a reviewer and the overall request must be approved by an approver. You add reviewers and approvers from the request configurations.

Step 4: Review and Approve Documents in the Request

Approve or decline documents in the request.

Reviewers can log in and review each document that was identified in the end-user request. Reviewers can either approve or deny each document and add comments to explain their decision.

Step 5: Approve the Request and Execute the End-User Access Request

When all of the documents in a request are processed by reviewers, approvers can approve the request.

After the request is approved, the documents in the request are either exported or deleted, according to the request configurations.

Note: For export requests with redaction enabled, the documents are converted to PDF format.