Forms

  • Updated

Overview

The Forms page in Osano lists all the forms created for receiving subject rights requests, offering a central hub for managing these critical compliance tasks. In the document below, we will walk through all aspects of the forms and their setup. If you'd like, take a look at a live form walkthrough


User Roles 

Access to the Forms page is governed by user roles:

Admins:

  • Access: Read/Write access to all capabilities. 
  • Can view all forms regardless of settings. 

Subject Rights Managers:

  • Access: Read/Write access to all Subject Rights features.
  • Note: Can view all forms that either have no organization assigned or are assigned to an organization that the user is also associated with.

The Form Overview Page

The Forms Overview page lists all your DSAR forms, displaying their names and providing quick actions like creating new forms.

DSAR - Form Summary Page.png

  • Embed the Form:

    • View and copy the form’s embed URL or its standard link using the icons on the far right of each form. Embed or link the form on your website to start collecting submissions.
    • For brand continuity, we generally recommend embedding the form rather than linking. 
  • Manage and Modify Forms:

    • Copy Form: Duplicate a form by clicking the "Copy DSAR Form Settings and Style" icon, completing the required fields in the Copy Form modal, and saving the new form.
    • Delete Form: Remove a form by clicking the "Delete Form" icon and confirming the deletion in the Confirm Delete modal.

  • Create a New Form: Subject Rights Managers can create and configure forms for handling subject rights requests by following these steps:
    • Click the Add Form button located at the bottom right of the forms table. This action opens the New DSAR Form modal.
    • Enter a Form Name and, optionally, provide an Internal Description for the form.
    • Optionally assign organizations responsible for managing requests received via the form.
    • Click Save to create the form.
    • Upon saving, you will be automatically redirected to the form's Settings page to continue setup.

DSAR - New Form.png


The Form Settings Page

The Form Settings page allows you to configure and fine-tune your DSAR forms for optimal functionality.

General Settings (Internal Only):

  • Form Name: Define the name of the form as it appears both internally and to users (Note: This field can optionally be made visible to customers - see customization)
  • Internal Description: Optionally add internal notes about the form’s purpose or configuration.
  • Organizations: Select which organizations will manage the requests submitted through this form. Read more about how DSAR forms and Organizations work together. 

DSAR Form - General.png

Form Intake (External facing):

  • Instructions: Add guidance that will appear at the top of the form to assist users.
  • Location Selection: Allow users to manually select their location, overriding geolocation data.

DSAR Form - Intake.png

Email Intake (Internal Only):

Email intake settings allow you to setup an email redirect that directs customers from a dedicated inbox to your Osano generated DSAR forms to ensure a continuous experience and to keep your system of record confined to a single location for ease of management. 

  • Generated Inbox: Redirect subject rights requests received via email to a specified inbox, guiding the requestor to the hosted version of the form.
  • Allowlist Emails: Enter email addresses that are permitted to forward requests to the generated inbox.
  • Escalation Emails: Assign email addresses to receive notifications if the requestor's identity is not determined, ensuring these are distinct from the allowlist.

DSAR Form - Email Intake.png

Internal Due Date (Internal Only):

  • Set Internal Due Date: Establish a standard SLA for request fulfillment, either using the regulatory due date as defined by the location and regulations within that location or setting a globally accepted custom deadline.

DSAR Form - Due Date.png

Auto Rejection (Internal Only):

Osano provides a handful of auto-rejection features to help manage excessive DSARs while remaining as compliant as possible in the locations that matter. 

  • Duplicate Rejection: Automatically reject duplicate requests to enhance processing efficiency.
  • Geo-fencing: Automatically reject requests originating from jurisdictions not covered by relevant privacy laws.

DSAR Form - Auto Reject.png

Action Item Processing (Internal Only):

The Action Item Processing section allows you to customize your workflow based on which data stores will apply to requests received from a specific form. Ex. If your employee information is housed in data store x and y but not in a and b, and this is an employee DSAR form, apply ONLY data stores x and y to this form. This will exclude a and b from the workflow. 

  • Apply to All Data Stores (Default): Apply DSAR requests from this form to all data stores.
  • Specific Data Stores: Restrict DSAR requests to selected data stores.

DSAR Form - AI Processing.png

Correspondence (External Facing):

  • Company Name: Specify the name that will appear on all outgoing communications sent via the form.
  • Email "From" Name: Define the name that will appear as the "From" name on all emails to the customer who has submitted this DSAR.

DSAR Form - Correspondence.png

Request Types 

The Request Types section allows you to manage and customize the types of rights available to users and how and when they present themselves. 

Standard Request Types: By default, Osano supports the following standard rights:

  • Correct
  • Summarize
  • Portability
  • Do Not Sell or Share
  • Limit Use of Sensitive Data
  • Opt-Out of Using Sensitive Data
  • Opt-Out of Targeted Advertising 
  • Delete
  • Other

Within this section, you can customize the title, description, and customer-facing instructions associated with each of these requests.

Note that we do NOT recommend changing the INTENT behind the right as specific rights might follow specific workflows (ex. summarization and deletion) 

DSAR Form - Request Types.png

Jurisdictions: As mentioned in the settings section, the Osano tool can utilize geolocation to determine what rights are seen by what users depending on WHERE they are accessing from. You can further customize these rights on a type-by-type basis utilizing the jurisdiction. 

  • Enable for Jurisdictions Where Required by Law (Default): This request type will only be available to requesters from jurisdictions where the law mandates such privacy rights.
  • Enable for Everyone: Make this request type available to all requesters, regardless of their jurisdiction.
  • Disable for Everyone: This request type will not be available to anyone, even in jurisdictions where it is legally required.

Form Fields

The Form Fields section allows you to customize the fields that appear on each form. Each DSAR submission form in Osano includes standard and non-standard fields:

  • Email: This field is required as it allows Osano to perform baseline email verification required as the first step to prove the identity of the user in question. 
  • Default Fields: Osano's DSAR forms include a subset of default fields on each form, however, these fields can be excluded from any/all forms by using the "Exclude this field" option. 
  • Customizable Fields: Osano's DSAR forms provide the ability to add in any number of custom fields based on your organization's needs. These fields should be utilized based on your legal need for identify confirmation when executing data rights. 

DSAR Form - Fields.png

Customize the form based on your company needs but remember, it is best practice to not ask for more information than you already have about the user in question. If you don't have their social security number, don't ask for it. 

Form Styling

The Form Styling section allows you to customize and view the appearance of your DSAR forms based on your other customizations made in the settings, fields, and request section. 

In this section you can also make some standard look and feel changes and, optionally, upload a custom stylesheet to further personalize the form’s appearance.

DSAR Form - Styling.png

 

Templates

The Templates section lists all the standard emails that may be sent to customers during the DSAR process, allowing you to customize the language to align with your company’s voice or include specific legal disclaimers or callouts.

DSAR Form - Templates.png

Email Templates for Completion:

  • Completion - Correct Request: Sent when a "Correct" request is marked as complete.
  • Completion - Summarize Request: Sent when a "Summarize" request is marked as complete.
  • Completion - Portability Request: Sent when a "Portability" request is marked as complete.
  • Completion - Do Not Sell Request: Sent when a "Do Not Sell" request is marked as complete.
  • Completion - Limit Use Request: Sent when a "Limit Use" request is marked as complete.
  • Completion - Opt-Out Request: Sent when an "Opt-Out" request is marked as complete.
  • Completion - Delete Request: Sent when a "Delete" request is marked as complete.
  • Completion - Other Request: Sent when an "Other" request is marked as complete.
  • Completion - Opt-Out of Using Sensitive Data Request: Sent when an "Opt-Out of Using Sensitive Data" request is marked as complete.

Email Templates for Rejection:

  • Rejection - Identity Not Verified: Sent when a request is rejected due to unverified identity.
  • Rejection - Duplicate/Spam Request: Sent when a request is rejected as duplicate or spam.
  • Rejection - Request Manifestly Unfounded: Sent when a request is rejected as manifestly unfounded.
  • Rejection - Other: Sent when a request is rejected for other reasons.
  • Rejection - Non-covered Jurisdiction: Sent when a request is rejected due to the requester being from a non-covered jurisdiction.

Email Templates for Intake and In-Progress Requests:

  • Intake - Request Submission Success - Email Intake: Sent when a request is successfully submitted via email intake.
  • In Progress - Link to Secure Messaging Portal: Sent after the requester verifies their email, containing a link to the secure messaging portal.
  • In Progress - New Message in Secure Messaging Portal: Sent when a new message is received in the secure messaging portal.
  • ID Verification - Reminder to Verify Email: Sent weekly as a reminder for the requester to verify their email on an open request.
  • Intake - Request Submission Success: A webpage displayed when a request is successfully submitted.
  • Intake - Request Submission Success - Geo-fenced Jurisdiction: A webpage displayed when a request is submitted from a jurisdiction that is subject to geo-fencing.
  • In Progress - Email Verification Success: Redirects the requester to a webpage upon successful email verification.

This section ensures that all customer communications during the DSAR process are tailored to your brand’s standards and legal requirements.

 

Localization

The Localization section is a visual representation of Osano's localization features. Based on the choices made in your "settings" the Osano tool will automatically determine a user's location based on their IP address and assesses which privacy rights apply according to local regulations. Based on this, the system displays the relevant rights for users based on these regulations and your configured settings.

World View Map: The Localization section features a world map. You can click on different regions of the map to view the specific privacy rights available in various locations as well as see the translated rights and forms based on the assumed browser language for that location. 

DSAR Form - Localization.png

Example: Location = Spain | Language = Spanish Castilian

This visual tool helps you understand the geographical distribution of privacy rights and how they apply to users globally, ensuring compliance with local laws and regulations.

  •  
  1.