Question 1

What is a DSAR and how does Privacy Rights Automation handle it?

Accepted Answer

A Data Subject Access Request (DSAR) is a formal request from an individual to access, correct, or delete their personal data. Privacy Rights Automation handles the full lifecycle: intake form (Salesforce screen flow), identity verification workflow, automated data discovery across all Salesforce objects, export or deletion execution, and compliance documentation. All steps are tracked in Salesforce with timestamps.

Question 2

How do data subjects submit requests?

Accepted Answer

Privacy Rights Automation includes a configurable Salesforce Experience Cloud portal form. Data subjects submit name, email, and request type (access, correction, deletion, restriction). For organizations without Experience Cloud, requests can be submitted via email intake and manually entered by the privacy team. The system handles processing identically regardless of intake method.

Question 3

How does Privacy Rights Automation verify the identity of the requester?

Accepted Answer

The verification workflow is configurable. Common approaches: email verification link (confirm the request came from the address on file), Knowledge-Based Authentication (ask questions only the real subject can answer), or manual review by the privacy team for high-risk requests. The verification step and its outcome are logged for audit purposes.

Question 4

What happens after identity is verified?

Accepted Answer

The system automatically queries all configured Salesforce objects for records matching the verified identity (by email, phone, and/or ID fields). Matches are presented to the privacy team for review. For deletion requests, the cascade deletion sequence runs after review approval. For access requests, a data export package is generated. All actions are timestamped in the request audit log.

Question 5

How long does a DSAR take to process with Privacy Rights Automation?

Accepted Answer

For standard deletion requests, automated processing takes 15-30 minutes for the system work (discovery + deletion). Total elapsed time including identity verification and human review is typically under 2 business days: well within GDPR's 30-day and CCPA's 45-day deadlines. Compare to 5-15 days for manual processing.

Question 6

What is the difference between deletion and anonymization for DSAR fulfillment?

Accepted Answer

Deletion removes the record entirely. Anonymization replaces personal data fields with non-identifying values while preserving the record shell for analytics and compliance history. For GDPR Article 17, both approaches fulfill the right to erasure: the key test is that the individual is no longer identifiable. Configure which method applies based on record type and business need.

Question 7

Can Privacy Rights Automation handle access requests (not just deletion)?

Accepted Answer

Yes. For access requests (GDPR Article 15, CCPA Section 1798.110), Privacy Rights Automation discovers all records matching the requester's identity and generates a structured data export. The export includes: which objects contain the subject's data, which fields, and the values. Export formats are configurable: PDF report, CSV, or structured JSON.

Question 8

What volume of DSARs can Privacy Rights Automation handle?

Accepted Answer

Privacy Rights Automation handles concurrent requests without volume limits. Each request runs as an independent Salesforce process. For organizations receiving hundreds of DSARs monthly, batch intake processing can be configured. The system has been tested with enterprise-scale volumes: the bottleneck is human review capacity, not system processing speed.

Question 9

How does Privacy Rights Automation handle GDPR Article 17 right to erasure?

Accepted Answer

When a GDPR erasure request is verified, Privacy Rights Automation executes a cascade deletion across all configured Salesforce objects containing the subject's personal data: Contact record, related Cases, Activities, EmailMessages, field history, and custom objects. The deletion sequence is configurable to respect object dependencies. Completion is documented with timestamps for GDPR Article 30 records.

Question 10

What Salesforce objects are included in GDPR erasure by default?

Accepted Answer

Default erasure scope includes: Contact, Lead, related Cases, Activities (Tasks, Events), EmailMessages, ContentDocumentLink (files attached to the contact), and field history for all masked objects. Custom objects with lookup relationships to Contact can be added to the erasure scope. The scope is fully configurable: you decide what's included.

Question 11

How does Privacy Rights Automation handle erasure for data in field history?

Accepted Answer

Salesforce field history is a separate data store from the record itself. Privacy Rights Automation includes field history in the erasure scope: history entries for the subject's fields are deleted as part of the erasure sequence. This is important for GDPR compliance: field history containing personal data (previous email addresses, old names) must also be erased.

Question 12

What happens when an erasure request involves a subject with active contracts?

Accepted Answer

Privacy Rights Automation evaluates exception conditions before executing deletion. Active contracts, open cases, and pending financial transactions can be configured as exception triggers: the system applies partial anonymization instead of full deletion, preserving the business record while removing personal identifiers. The exception is logged with reason for GDPR documentation.

Question 13

How do we handle erasure for data that's also in Marketing Cloud?

Accepted Answer

Privacy Rights Automation integrates with Marketing Cloud for DSAR scope expansion. When a Salesforce erasure request is processed, a corresponding suppression record is created in Marketing Cloud to prevent future sends. For Marketing Cloud data deletion, an API call to MC's transactional messaging suppression list is triggered. Full MC integration documentation available from Cloud Compliance.

Question 14

Does erasure in Salesforce also erase data in sandbox environments?

Accepted Answer

Yes: if configured. Privacy Rights Automation can trigger sandbox data cleanup as part of the erasure process via DataMasker's API. However, the most effective approach is preventive: DataMasker masks sandbox data on every refresh, ensuring sandboxes never contain the subject's real data in the first place. Preventive masking eliminates the need for sandbox-specific erasure handling.

Question 15

How do we document GDPR erasure for DPA audit purposes?

Accepted Answer

Privacy Rights Automation creates a Request record in Salesforce with: requester identity (hashed for privacy), request date, verification method and date, objects processed, deletion count, exception records (and reason), and completion timestamp. This log is your GDPR Article 30 processing record for erasure. Export as a report for DPA audit responses.

Question 16

What happens if an erasure fails for some records?

Accepted Answer

Privacy Rights Automation logs all failures with the specific record ID and error reason. Common failures: record locked by another process, validation rule preventing deletion, or record excluded by exception logic. The privacy team is notified of partial completions: they can review failures and manually resolve or document the exception. Partial completion is documented in the request audit log.

Question 17

How does Privacy Rights Automation handle CCPA deletion requests?

Accepted Answer

CCPA Section 1798.105 gives California consumers the right to deletion with a 45-day fulfillment deadline. Privacy Rights Automation handles CCPA requests with jurisdiction-specific rules: 45-day deadline tracking, CCPA-specific exception categories (legal obligation, contract completion), and California AG-compliant documentation. The same system handles GDPR (30-day) and CCPA (45-day) requests simultaneously with jurisdiction-aware deadline enforcement.

Question 18

Can one system handle GDPR and CCPA requests simultaneously?

Accepted Answer

Yes: this is the standard deployment pattern. Privacy Rights Automation uses request-level jurisdiction tagging. A request from an EU resident is processed under GDPR rules; a California resident's request under CCPA. Deadlines, exception categories, and audit documentation are jurisdiction-specific. Both flow through the same intake, verification, and processing infrastructure.

Question 19

How does Privacy Rights Automation handle patient data deletion under HIPAA/HITECH?

Accepted Answer

HITECH Act amendments give patients rights over their health information. Privacy Rights Automation handles Health Cloud deletion requests with HIPAA-compliant processing: PHI discovery across all Health Cloud objects, cascade deletion with referential integrity preservation, and OCR-ready audit documentation. Exception handling for records required by HIPAA's minimum retention requirements (6 years) is configurable.

Question 20

Does Privacy Rights Automation handle India DPDP Act erasure and access requests?

Accepted Answer

Yes. India's DPDP Act (2023) grants data principals erasure rights similar to GDPR. Privacy Rights Automation handles DPDP Act requests by configuring Indian jurisdiction rules: identify records where the subject is an Indian resident, apply DPDP Act deletion logic, and generate documentation aligned with DPDP Act requirements. The same automation layer handles GDPR, CCPA, and DPDP simultaneously.

Question 21

How do we handle deletion requests for data shared with third parties?

Accepted Answer

Privacy Rights Automation processes deletion within your Salesforce org. For data shared with third parties (marketing platforms, data brokers), the system can trigger API calls to those systems as part of the deletion workflow: if they expose deletion APIs. For manual third-party notification, the request audit log includes a checklist of third parties to notify, with acknowledgment tracking.

Question 22

Can Privacy Rights Automation handle correction requests (not just deletion)?

Accepted Answer

Yes. GDPR Article 16 gives individuals the right to correct inaccurate personal data. Privacy Rights Automation includes a correction workflow: the subject submits the corrected data via the intake form, the privacy team reviews and approves, and the correction is applied to all identified records across configured objects. Correction events are logged in the audit trail.

Question 23

What is the 'right to restriction' and how does Privacy Rights Automation handle it?

Accepted Answer

GDPR Article 18 gives individuals the right to restrict processing: their data is retained but not actively processed (no marketing, no profiling, no sharing). Privacy Rights Automation implements restriction by setting a 'Processing Restricted' flag on the subject's records. Configured business processes check this flag before processing: marketing sends, lead scoring, and data sharing are suppressed for restricted subjects.

Question 24

How do we handle DSARs when we can't identify the subject with certainty?

Accepted Answer

Privacy Rights Automation's identity verification workflow is configurable for this scenario. If identity cannot be confirmed with high confidence, the system escalates to manual review with a configurable hold period. The privacy team documents the uncertainty and the response taken. GDPR guidance allows organizations to decline requests where identity cannot be reasonably verified: this decision is logged.

Question 25

How do we report DSAR metrics to our DPO and legal team?

Accepted Answer

Privacy Rights Automation includes a reporting dashboard: requests by type (deletion/access/correction), by jurisdiction, by month, average fulfillment time, exception rate, and pending requests. Export as Salesforce reports or schedule automated email delivery to your DPO. These metrics satisfy GDPR Article 30 record-keeping requirements and give your legal team visibility into compliance posture.

Privacy Rights Automation: Every Question Answered

Frequently Asked Questions

Ready to automate DSAR handling?