I’ve created a data protection tool using Microsoft Power Automate to manage data subject requests. You can access it in this Github repository, along with all of the files and instructions for replication and modification.
Working on a small data protection team in a global non-profit means finding efficiency wherever I can in order to maximize impact. I’ve developed a lightweight data subject request tracker for anybody to use and would love feedback on the utility of this for others working on humanitarian data protection.
Working on a small data protection team in a global non-profit means finding efficiency wherever I can in order to maximize impact. I’ve developed a lightweight data subject request tracker for anybody to use and would love feedback on the utility of this for others working on humanitarian data protection.
Data Subject Requests (or Data Subject Access Requests) are required by various privacy laws including GDPR and CCPA. They allow an individual to access information about their personal data and how an organization is managing those data. At Mercy Corps, such a request requires coordinating with the owners of 11 different information systems and my team needed a relatively easy way to track these requests. Using emails and spreadsheets to try and coordinate this was:
- unresponsive to data subjects who didn't get an immediate response;
- inefficient due to clogged inboxes, searching for emails, etc;
- difficult to track and hard to see who had complied with what;
- difficult to report on, since there wasn’t any audit trail; and
- insecure because emails containing personal information related to the request could inadvertently remain in people’s inboxes.
Using Power Automate I developed a semi-automated system that largely removes email, eases compliance for system owners, improves tracking, and is more responsive to data subjects. The new system provides:
- greater responsiveness since data subjects get immediate notification that there request has been received;
- better compliance because system owners can report compliance with a single click.
- easier tracking by displaying the status of all requests in a secure list.
- easier reporting if audited because all actions captured in one place; and
- improved security by replacing emails with a secure list with managed permissions.
The flow uses an online Form, a SharePoint list, Microsoft Approvals, and automated messages to track the status of requests more easily. The actions of each system owner are captured in the Microsoft Approvals history in case an audit trail is required and the fact that Approvals transform from a request to a receipt once the request is complete, means that no personal information remains inadvertently inside of emails.
I'd love to hear about your experience using Power Automate for common data protection tasks or how to better improve the tools I've created!
I'd love to hear about your experience using Power Automate for common data protection tasks or how to better improve the tools I've created!