What is a Data Store?
When using Osano, a data store is a defined repository or system where personal information (PI) is stored or can be found. Data stores are incredibly important components when it comes to managing and responding to subject rights requests, as they represent the various places within your organization where personal data might reside.
Required User Roles
One or more of the following roles is required to manage and maintain the Data Store section within the Osano Privacy Platform.
Admin
- Access: Read/Write access to all capabilities.
- Capabilities: Full access to all features.
Subject Rights Manager
- Access: Read/Write access to all Subject Rights capabilities.
- Capabilities: Access to create and manage Data Stores and the Data Subject Rights process and workflows.
Types of Data Stores
Automated Data Stores
Automated data stores connect the Osano Platform over 100 third-party vendor data sources. These connections allow for automated data discovery, meaning that when a subject rights request is received and the requestor’s identity is confirmed, searches of these data sources will begin automatically. Once the search is complete, an action item is automatically assigned to a Subject Rights Assignee to validate the completeness and accuracy of the search results.
Manual Data Stores
Manual data stores are used for data sources that are not directly connected to Osano. These stores enable manual data discovery, which means that when a subject rights request is received, an action item is automatically assigned to a Subject Rights Assignee to perform a manual search for personal data in systems outside of the Osano Platform. The Assignee must then attach the results of that search to the action item once it has been completed.
How to Create an Automated Data Store (Data Stores Page)
Note: You can also create both automated and manual Data Stores from your Sources > Discovered Data flow. The steps to do so will be similar to the below steps for manual creation.
Step 1: Access the Data Stores Page
1. Navigate to the Data Stores page within the Osano platform.
2. Click the purple '+' button located at the bottom right of the page to initiate the creation of a new automated data store. Choose the 'Connect to third-party vendors to enable automated data discovery' option.
Step 2: Select the Vendor
-
Choose vendor you wish to connect to from the list provided.
- This dropdown list provided for automated discovery includes over 100 third-party vendors that Osano can connect to for automated data discovery.
Note: If you’re unsure which vendor to choose, consider which data sources are most likely to contain personal data relevant to your subject rights requests.
Step 3: Enter Required Information
1. Enter a Data Store Name: This should be descriptive enough to identify the data source easily.
2. Assign a Data Store Owner: The person responsible for managing and validating searches in this data store.
3. Provide Vendor-Specific Information: Depending on the vendor, you may need to enter additional information, such as an API key.
Note: Connection requirements vary by vendor, so be sure to refer to the integration documentation for specific setup instructions for all Osano supported vendors.
Above Example: Slack
Step 4: Field Creation, Mapping, and Classification
Once the connection has been established, Osano will scan the connected applications for applicable PI information. This scan can take up to 20 minutes to complete depending on the complexity of the integration and the amount of data that must be scanned.
Once the connection has run, Osano will provide a list of fields discovered within the connected application and will begin attempting to classify these fields based on the category of PI.
Example Integration: Salesforce
AI Classification: Osano’s AI will then attempt to classify the data in each field, identifying whether it contains personal data and, if so, what type.
Manual Updates and Overrides: If you need to add in any classifications or change any classification suggestions provided by Osano, you can do so on the Fields and Classifications tab by clicking the purple 'Update Selected Field' pencil icon next to each field. You can also bulk classify fields by selecting multiple fields and using the 'Edit' icon at the top right of the fields table.
Step 5: Set Recommended Actions for Subject Rights Requests
Choose Recommended Actions: For each classified field, determine the recommended action (e.g., deletion, correction) that should be taken when a subject rights request is received.
For example, if a Deletion request is received, and a field is classified with a 'Delete' action, an action item will be generated for the Datastore Owner to delete that data. If a field should never be deleted even when receiving a Deletion request, that field should be marked as "Not Applicable" (ex. financial information within 1 year of purchase)
Note: Unclassified fields will not generate action items, so it’s important to ensure all relevant fields are properly classified.
Step 6: Finalize the Data Store
Once all fields are classified and recommended actions are set, your automated data store is ready.
As subject rights requests come in, action items will be generated automatically based on the classifications and actions you’ve set up.
How to Create a Manual Data Store (Data Stores Page)
Note: You can also create both automated and manual Data Stores from your Sources > Discovered Data flow. The steps to do so will be similar to the below steps for manual creation.
Step 1: Access the Data Stores Page
1. Navigate to the Data Stores page within the Osano platform.
2. Click the purple '+' button located at the bottom right of the page to initiate the creation of a new automated data store. Choose the 'Create a Manual Data Store' option.
Step 2: Enter Basic Information
1. Enter a Data Store Name: Choose a name that clearly identifies the non-connected data source.
2. Provide a Description: Optionally, you can add a brief description to explain the purpose or scope of this data store.
3. Assign a Data Store Owner: This individual will be responsible for performing manual searches when a subject rights request is received.
Step 3: Manually Add and Classify Fields
Once the data store has been created, you can manually add the fields associated with this store.
[For more bulk management options, check out our REST API]
1. Navigate to the Fields Tab: Once your data store is created, go to the Fields tab.
2. Click the purple '+' Button: This will allow you to start adding fields manually.
3. Enter a Field Name: Each field should represent a type of personal data stored in the non-connected data source.
4. Select a Classification: Choose the type of personal data stored in that field (e.g., name, email, address).
5. Set Recommended Actions: For each classification, determine the recommended action for subject rights requests.
Important: For a manual data store to be automatically assigned to incoming requests, it must have at least one classified field. If no fields are classified, the data store won’t be applied to new requests.
Step 4: Finalize the Data Store
After all fields have been added and classified, your manual data store is ready.
When a subject rights request is received, action items will be created based on the fields and classifications you’ve set up.
Additional Data Store Settings
Once your data stores have been created, both manual and automated data stores can be edited to include settings such as country associations, labels, purpose of processing and additional users/owners associated with the store itself.
Purpose of Processing
In the context of data mapping within the Osano Privacy Platform, Purpose of Processing refers to the reason or objective behind collecting, storing, and using personal data within your data stores. It's a critical aspect of data governance, helping organizations ensure that data is being handled in compliance with legal regulations which require a clear justification for processing personal data.
When creating your Data Stores, you have the ability to tag the Purpose of Processing. This field is free text entry and, once an entry has been added to the bank, can be recycled for future use.
Data Store Owners
Data Store Owners will receive alerts when new action items are generated for a data store in which they are assigned as a user to. This allows them to participate in the completion of any DSAR requests associated with this Data Store in the future.
To add additional users/owners to a data store:
- Navigate to the Details Tab of the Data Store: This is where you manage assignees.
-
Add new Owners: Both Organizations and/or individuals can be associated with a single data store.
- Assign Organizations as owners of this data store. When this option is utilized, all users who are a part of the chosen Organization(s) will become owners of this Data Store.
- Assign Users as owners of this data store. When this option is utilized, individual users will become owners of this Data Store.
- Tip: Consider adding users who are responsible for the data source or who will assist in processing subject rights requests.
- To Remove an Owner, click the 'x' next to their username in the Assignees field.
Remember, the Data Store Owner is automatically assigned to the data store by default. They will receive all action items generated for that store.
Next Steps: Forms Setup
Once your data stores are fully created and configured, you’re ready to move on to setting up Forms in Osano. This will help streamline the process of managing subject rights requests by providing a structured way for requestors to submit their information.