Microsoft Priva: Right to be Forgotten

Data subject rights, granted by regulations like GDPR allow individuals to request access to or control over their personal data collected by organizations. These requests are commonly referred to as Data Subject Rights requests. However, fulfilling these requests can be challenging for companies that store vast amounts of data, as the process may be time-consuming and require significant manual effort.

Data Subject Rights request is also mentioned in several country specific privacy regulations. For instance, in our case here in Kenya, section 41 of the Kenya Data Protection Act states that “A data subject may request a data controller or data processor -

• to rectify without undue delay personal data in its possession or under its control that is inaccurate, outdated, incomplete or misleading; or
• to erase or destroy without undue delay personal data that the data controller or data processor is no longer authorised to retain, irrelevant, excessive or obtained unlawfully.”.

With this in mind, there is need to have a solution in place to make the Data Subject Rights Request process easier.

Microsoft Priva Subject Rights Request is a privacy solution designed to help you respond to Data Subject Rights request in an automated, secure and auditable way. As of today, Microsoft Priva searches for data stored in your Microsoft 365 online environment therefore when creating a request the search will run through the Microsoft 365 environment, give an estimate of the data to be fetched, review the data and even generate a report for the organisation and the data subject.

When you create a subject rights request in Microsoft Priva, it goes through several stages as below.

• ?Data Estimate: Before retrieving the actual data, you are first presented with an estimate of the data that will be fetched.

• Retrieve data: depending on the size of the data to be retrieved, it might take some hours to retrieve the data.
• Review data: once the data has been retrieved, you can now review the data fetched to decide which data relates to the data subject.

The items marked as priority items shows items that you may want to start with when doing the review because they may contain sensitivity labels, or these items may have been marked as records which are typically no deleted due to the record retention settings.

You can add more collaborators to review the results and ensure only relevant data is fetched and even redact some data not relevant to the data subject.?

When there is data to be deleted, the next stage will be for the approvers to review the deletion request before proceeding to the next stage.

• Generate Reports. Once the review stage is done, reports will be generated which includes an audit of the activities performed and a report for the data subject.
• Close the request. After all the activities are complete, the request is closed to indicate that all the required steps have been completed.

To read more on how to create Data Subject Rights request Microsoft Priva Subject Rights Request – Kevoh.Ninja