The Settings tab on the Form Configuration page contains a list of core settings associated with a subject rights form:
The settings on this page are divided into a number of sub-sections:
- Form Name
- The internal name used to identify the form on the Forms page.
- Internal Description
- The internal description used to identify the form on the Forms page.
- Organizations
- Requests received through this form will only display on the Requests page for Subject Rights Managers if that user is assigned an organization that is assigned to this form.
- Instructions
- Text entered here will appear at the top of the form. You can preview how this text will appear for different requesters on the Localization tab.
- Location Selection
- By default, a requester's location is automatically determined by their IP address. When this toggle is enabled this location will display in a dropdown in a top right header on the form and user's can alter this location to select a form from a different jurisdiction than the one they have been geo-identified as residing in. You can preview this dropdown on the
- Localization tab.
- Generated Inbox
- By default, every form comes with an email address that is set to respond to emails received by it as if they were subject rights requests. These automatic responses have a subject line of "Data Rights Request: Further Information Needed", a sender of "Data Request" and look like this:
Users that click on the Data Rights Request Form button in the email are redirected to the request form to submit their request there.
- Allowlist Emails
- Allowlist Emails are emails designated as being "non-requester" for the purposes of the email intake system. You should add emails you wish to forward requests from here.
- Escalation Emails
- These emails will receive notifications if the generated email inbox receives an email and for some reason it is unable to determine who to automatically respond to. This will most likely happen if there are multiple unknown email addresses on a redirected or forwarded email.
There are generally two use cases for this generated email inbox.
The first use case is when you want to have a dedicated public email address for receiving DSAR requests. In that case you would want to forward or redirect all email traffic that email address received to the generated email inbox which would then automatically respond to the requester asking them to enter their request through your form.
The second use case is when you want to be able to process requests received at an email address whose purpose is not dedicated to receiving requests e.g. one-off requests received by your legal team. In that case you would want to forward the individual email received to the generated email inbox which would then automatically respond to the requester asking them to enter their request through your form.
- Use Regulatory Due Date (15-60 days after verification depending on location)
- By default, the due date for received requests will be based on the regulatory due date of any active privacy law for the location entered on the request. For example, when this radio button is selected:
- If the location of the request is France, the due date would be 30 days per GDPR.
- If the location of the request is California, the due date would be 45 days per CPRA.
- If the location of the request is Oklahoma, the due date field would display 'No Applicable Privacy Law'.
- By default, the due date for received requests will be based on the regulatory due date of any active privacy law for the location entered on the request. For example, when this radio button is selected:
- Custom
- Selecting this option allows users to enter a single standard for request SLAs regardless of the location of the request. If this standard is less than the regulatory due date (or there is no regulatory due date) the due date for the request will be set to this standard. If this standard is more than the regulatory due date, the regulatory due date would still apply. For example, when this radio button is selected and the value entered here is '35':
- If the location of the request is France, the due date would be 30 days per GDPR.
- If the location of the request is California, the due date would be 35 days per the internal due date.
- If the location of the request is Oklahoma, the due date would be 35 days per the internal due date.
- Selecting this option allows users to enter a single standard for request SLAs regardless of the location of the request. If this standard is less than the regulatory due date (or there is no regulatory due date) the due date for the request will be set to this standard. If this standard is more than the regulatory due date, the regulatory due date would still apply. For example, when this radio button is selected and the value entered here is '35':
Note: Even if a custom internal due date is set, the true regulatory due date is still tracked as part of the request details and visible on the Request Details page.
- Duplicate Rejection
- When this toggle is enabled requests received to the form that are identified as a duplicate of another in progress request will be automatically rejected. A request will be identified as a duplicate of a request in progress if:
- It is from the same requester
- It is of the same request type
- When this toggle is enabled requests received to the form that are identified as a duplicate of another in progress request will be automatically rejected. A request will be identified as a duplicate of a request in progress if:
- Geo-fencing
- This toggle's functionality have been superseded by the rights localization functionality on the Localization tab.
- Unverified Email Rejection
- When this toggle is enabled requests received to the form that are not email verified by the requester for more than 21 days will be automatically rejected at that time. If this toggle is enabled on a form that has unverified requests that have already exceeded this deadline they will be automatically rejected the next time this daily function is run.
- All Data Stores
- When this radio button is enabled, when received DSAR requests are email verified by the requester action items will be generated for all data stores that:
- Have at least one field classified as containing PI that has a requested action assigned for the request type associated with the request other than 'Not Applicable'.
- When this radio button is enabled, when received DSAR requests are email verified by the requester action items will be generated for all data stores that:
- Only the following Data Store(s)
- When this radio button is enabled, users can enumerate a list of data stores eligible to generate action items if the above conditions for action item generation are also met. This functions as an additional filter restricting action item generation.
- Company Name
- This field controls the Company Name that will display on all requester-facing emails sent as part of the subject rights request processing workflow. You can control the content of these emails on the Templates tab and preview how these emails will appear for requesters on the Localization tab.
- Email 'From' Name
- This field controls the From line of requester-facing emails sent as part of the subject rights request processing workflow. You can control the content of these emails on the Templates tab and preview how these emails will appear for requesters on the Localization tab.