Building a Protocol to Improve DSR Flexibility and Integration

In order to fulfill data subject requests (DSRs), a structure of the rights request must be created and maintained from the time of intake, to the propagation to all data systems where Personal Information (PI) resides. What should this structure contain to perform effectively and efficiently? What exchanges are required to fulfill Delete and Access obligations?

The aim of this talk is to share how we developed and implemented a protocol based on the Data Rights Protocol, outlining standardized request and response data flows by which Data Subjects can exercise Personal Data Rights. The protocol is incorporated into our broader product's internal handshakes and specifies the payload structures for externally registered webhooks. I'll explain the decisions that drove the structures of these exchanges and lessons learned from implementation in practice. Lastly I'll share some areas of flexibility (e.g., "data subject variables") and discuss future applications for this build.