Merge pull request #49003 from MicrosoftDocs/NEW-priva-subject-rights-requests

New priva subject rights requests

Author: JillGrant615

learn-pr/wwl-sci/priva-subject-rights-requests/configure-prerequisites-beyond-m365.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.priva-subject-rights-requests.configure-prerequisites-beyond-m365
+title: Configure prerequisites for requests for data beyond Microsoft 365 (preview)
+metadata:
+  title: Configure prerequisites for requests for data beyond Microsoft 365 (preview)
+  description: "Configure prerequisites for requests for data beyond Microsoft 365 (preview)"
+  ms.date: 01/24/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 6
+content: |
+  [!include[](includes/configure-prerequisites-beyond-m365.md)]

learn-pr/wwl-sci/priva-subject-rights-requests/create-subject-rights-request-beyond-m365.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.priva-subject-rights-requests.create-subject-rights-request-beyond-m365
+title: Create and manage subject rights requests for data beyond Microsoft 365 (preview)
+metadata:
+  title: Create and manage subject rights requests for data beyond Microsoft 365 (preview)
+  description: "Create and manage subject rights requests for data beyond Microsoft 365 (preview)."
+  ms.date: 01/24/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 7
+content: |
+  [!include[](includes/create-subject-rights-request-beyond-m365.md)]

learn-pr/wwl-sci/priva-subject-rights-requests/create-subject-rights-request-m365.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.priva-subject-rights-requests.create-subject-rights-request-m365
+title: Create and manage data requests for Microsoft 365
+metadata:
+  title: Create and manage data requests for Microsoft 365
+  description: "Create and manage data requests for Microsoft 365."
+  ms.date: 01/24/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 10
+content: |
+  [!include[](includes/create-subject-rights-request-m365.md)]

learn-pr/wwl-sci/priva-subject-rights-requests/includes/configure-prerequisites-beyond-m365.md

@@ -0,0 +1,78 @@
+Subject rights requests for data beyond Microsoft 365 allow organizations to manage privacy-related requests across multicloud and on-premises environments. To get started, you need to ensure the solution is properly configured with essential prerequisites.
+
+## Confirm access to the Data Map
+
+The Microsoft Purview Data Map is a foundational tool for managing subject rights requests. It enables the service to search for data classifications and helps data owners locate and act on personal data. Verify that your organization has access to the [Microsoft Purview Data Map](/purview/concept-elastic-data-map?azure-portal=true) to use these capabilities effectively.
+
+## Register assets in the Unified Catalog
+
+To fully utilize subject rights requests, register your organization's data assets in the [Microsoft Purview Unified Catalog](/purview/unified-catalog-search?azure-portal=true). Registered assets must include classifications and data owners, which ensures:
+
+- Relevant classifications can be searched efficiently.
+- Tasks are automatically assigned to the appropriate data owners.
+
+Registering assets improves the task creation process and ensures a streamlined workflow for fulfilling requests.
+
+## Assign roles and permissions
+
+Roles determine the tasks users can perform within the subject rights requests solution. Assign roles based on the responsibilities required for managing requests:
+
+| Role | Access | Description |
+|-----|-----|-----|
+| **Data Reader** | Read-only access | Allows access to Data Map classifications and Unified Catalog details for scoped assets. |
+| **Privacy Curator** | Read-write access | Enables creation and management of subject rights requests. |
+| **Privacy Reader** | Read-only access | Provides view-only access to requests and tasks but doesn't allow modifications. |
+
+For more information, see [Microsoft Purview governance roles and permissions](/purview/roles-permissions?azure-portal=true).
+
+## Set up request forms and templates
+
+To process subject rights requests, your organization must first create request forms and templates. These components define how requests are submitted and processed.
+
+### Create request forms
+
+Request forms are publicly available web forms that data subjects use to submit requests. These forms are customized with:
+
+- **Contact details**: Include a privacy contact and organization privacy statement.
+- **Questionnaire**: Add fields such as name, email address, and additional identifiers to locate the data subject's information.
+- **Validation steps**: Implement identity validation, such as a one-time PIN (OTP) sent to the data subject's email.
+
+Follow these steps to build a request form in the Microsoft Purview portal:
+
+1. Navigate to **Subject Rights Requests** in the Microsoft Purview portal (preview).
+1. Under **Data beyond Microsoft 365**, select **Request forms and templates**.
+1. On the **Request forms** tab, select **New** and complete the required fields, such as form name, description, and privacy contact.
+1. Customize the layout and questionnaire, then preview and finalize the form.
+
+### Create templates
+
+Templates establish the parameters for fulfilling subject rights requests. Each template defines:
+
+- **Fulfillment deadlines**
+- **Connected request forms**
+- **Workflow requirements**
+
+Templates define the fulfillment workflow for requests submitted through connected forms, ensuring that the request process aligns with organizational requirements and deadlines.
+
+Steps to create a template:
+
+1. Navigate to **Request forms and templates** in the Microsoft Purview portal.
+1. On the **Templates** tab, select **New** and provide a name, description, and contacts.
+1. Define the request workflow, including identity validation and storage locations for export packages.
+1. Save and publish the template.
+
+Once completed, templates and forms enable seamless request submission and processing.
+
+## Ensure a strong data governance foundation
+
+For subject rights requests to be effective, your organization needs a well-structured data governance solution. Strong governance ensures data is classified, understood, and actionable, which directly impacts your ability to manage requests efficiently. Key steps include:
+
+- **Establishing glossary terms**: Use business-friendly terms to make data more discoverable and understandable for stakeholders.
+- **Defining objectives and outcomes (OKRs)**: Align data usage with organizational goals to enhance compliance and decision-making.
+- **Improving data quality**: Address issues like accuracy, consistency, and completeness to build trust in your data.
+
+Implementing these practices helps your team maximize the value of subject rights requests and ensures a sustainable approach to managing data privacy.
+
+## Legal disclaimer
+
+[Microsoft Priva legal disclaimer](/privacy/priva/priva-disclaimer?azure-portal=true)

learn-pr/wwl-sci/priva-subject-rights-requests/includes/create-subject-rights-request-beyond-m365.md

@@ -0,0 +1,73 @@
+Managing subject rights requests for data beyond Microsoft 365 enables organizations to address privacy-related requests for personal data stored across diverse platforms, including multicloud environments and on-premises systems. This feature streamlines compliance efforts by automating request workflows and providing visibility into request progress.
+
+## Types of requests
+
+Subject rights requests for data beyond Microsoft 365 support two request types:
+
+- **Export**: Provides an export of a data subject's personal data located in your organization's data landscape.
+- **Delete**: Removes all personal data belonging to a data subject from your organization's systems.
+
+These requests can be initiated in two ways:
+
+1. **By the data subject**: An external individual, such as a customer or former employee, submits a request via an online form created by your organization.
+2. **Manually by your organization**: A user in your organization creates a request on behalf of the data subject.
+
+## Create a request manually
+
+When a data subject contacts your organization to request an export or deletion of their personal data, you can create a request manually. This process involves selecting a template to define how the request will be fulfilled and entering basic details about the data subject.
+
+### Steps to create a request
+
+1. In the Microsoft Priva portal (preview), navigate to the **Request management** page.
+1. Select **New request** to open the request builder.
+1. On the **Basic details** page, choose the template that aligns with the request type (export or delete), then select **Next**.
+1. On the **Request form** page, provide required details such as the data subject's name and email address.
+1. Review the details and select **Submit**. The request is now active and moves into the first stage: **Validating identity**.
+
+## Stages of request progress
+
+Each request progresses through the following stages, shown on the request's details page:
+
+1. **Not started**: The system begins validating the data subject's identity.
+1. **Identity validation**: If the request uses a manual validation template, a task is created for the data engineer to verify the identity. Otherwise, validation is assumed to be complete.
+1. **Analyzing data**: The system searches the Data Map for matches to classifications or sensitive information types specified in the template.
+1. **Working on tasks**: Tasks are assigned to asset owners, who locate, extract, or delete data as required.
+1. **Approving tasks**: Tasks are reviewed and approved by the request owner or designated approver.
+1. **Ready to respond**: All tasks are complete, and the request is ready for the organization's response to the data subject.
+
+## Tasks and responsibilities
+
+When assets containing relevant data are identified, tasks are created and assigned to asset owners. Asset owners are notified via email and must complete the following steps:
+
+1. On the **Task management** page, select the task and choose **Claim task**. The task status updates to **In progress**.
+1. On the task's flyout pane, go to the **Scope** tab to view assets and data subject values in scope.
+   - **Export requests**: Locate the data, extract it to a CSV file, and upload the file to the task.
+   - **Delete requests**: Locate the data and delete it from the identified assets.
+1. Once the required actions are finished, select **Mark as complete**. The task status updates to **Awaiting approval**.
+
+If no relevant data is found, mark the task as **Not applicable**.
+
+## Approving tasks
+
+The request owner or designated approver reviews completed tasks to ensure accuracy and compliance:
+
+1. On the **Tasks** tab of the request's details page, review the uploaded data or task completion details.
+1. Approve tasks that meet requirements by selecting **Approve**. Tasks requiring revisions can be marked as **Rejected**, returning them to the task owner for updates.
+
+## Respond to the data subject
+
+After all tasks are approved, the request progresses to the **Ready to respond** stage. The organization must respond to the data subject outside of Priva:
+
+- **Export requests**: Download the export package from the **Packages** tab on the request's details page. Share the .zip file with the data subject.
+- **Delete requests**: Notify the data subject that their personal data has been deleted.
+
+## Complete the request
+
+Once the data subject has been notified, mark the request as complete:
+
+1. On the request's details page, select **Mark as complete**.
+1. The request status updates to **Complete**. Requests remain in the system for 180 days for record-keeping.
+
+## Legal disclaimer
+
+[Microsoft Priva legal disclaimer](/privacy/priva/priva-disclaimer?azure-portal=true)

learn-pr/wwl-sci/priva-subject-rights-requests/includes/create-subject-rights-request-m365.md

@@ -0,0 +1,102 @@
+Creating a subject rights request is the first step in managing privacy requests effectively. This process allows organizations to locate and retrieve personal data efficiently, ensuring compliance with privacy regulations while streamlining workflows for data discovery and review.
+
+To create a Subject Rights Request, users need to belong to the **Subject Rights Request Administrators** role group. Requests can be created in two ways:
+
+- **Using a template**: A quick, preconfigured option with tailored default settings.
+- **Custom setup**: A guided process that allows full customization of request settings.
+
+## Types of requests
+
+Priva Subject Rights Requests support four request types:
+
+1. **Access**: Summarizes the data subject's personal information held by your organization in Microsoft 365.
+1. **Export**: Provides a summary and an exported file of the content marked for inclusion during the review process.
+1. **Tagged list for follow-up**: Generates a summary of files tagged during data review. Priva provides predefined tags, and you can create custom tags in settings.
+1. **Delete**: Removes content items containing a data subject's personal information, pending approval and compliance with retention policies.
+
+## Create a request using a template
+
+Templates simplify the process with default settings for three request types: **Data access**, **Data export**, and **Data tagged for further action**. You can review and modify these settings during the request creation process.
+
+### Steps to create a request
+
+1. Sign in to the [Microsoft Priva portal (preview)](https://purview.microsoft.com/priva) and select **Subject Rights Requests**.
+
+1. In the navigation pane under **Data within Microsoft 365**, select **Microsoft 365 requests**, then select **New request**.
+
+1. Choose the request type such as Data access, then select **Get started** to open a flyout pane.
+
+1. At **Relationship to organization**, select the data subject's relationship with your organization, such as **Current employee**, **Former employee**, or **Other**. This choice adjusts default search settings:
+   - **Current employee**: Excludes items authored by or communicated to the employee.
+   - **Former employee**: Prioritizes the employee's mailbox and authored items.
+   - **Other**: Focuses on the most recent versions of SharePoint items.
+
+1. To review or modify settings, select **View settings** and then **Edit settings** to adjust advanced options.
+
+1. Enter the data subject's details, including required fields, like name and email address. Extra fields like region or regulation type are optional.
+
+1. Select **Create** to finalize the request. The request appears at the top of the request list.
+
+By default, your request is named with the data subject's name and type of request. To edit the request name, select the request from the list to open its details page and select the **Edit** command at the top of the screen. You arrive at the request creation wizard. Select **Next** until you advance to the **Request name** page, where you can edit the name and add a description.
+
+## Create a custom request
+
+Custom requests allow users to tailor every aspect of the request process. You start by choosing a template, and then walk through each setting to customize your policy.
+
+1. Sign in to the Microsoft Priva portal and select **Subject Rights Requests**.
+
+1. Under **Microsoft 365 requests**, select **New request** and choose the **Custom** option.
+
+1. Complete the following steps in the request creation wizard:
+   - **Data subject information**: Enter first and family name, email address (required), and additional identifiers if available. Specify the data subject's relationship to your organization.
+   - **Locations**: Enable search locations such as Exchange (mailboxes and Teams chats) or SharePoint (including OneDrive and Teams channels).
+   - **Define search settings**: Adjust default settings such as including content authored by the data subject or retrieving all versions of SharePoint items. You can also request a data estimate before retrieval begins.
+   - **Request type**: Select Access, Export, or Tagged list for follow-up. Specify privacy regulations and adjust deadlines as needed.
+   - **Request details**: Review and edit the request's name and description.
+
+1. On the final page, review all entries and select **Create request**. The request is added to your Subject Rights Requests list.
+
+## Customize search settings
+
+You can use advanced search settings to tailor your search and refine the data retrieved for subject rights requests. These options provide flexibility to meet specific organizational needs:
+
+- **Refine your search**: Specify extra properties to narrow the scope, such as item name, sender/recipient, or personal data types. This option improves the accuracy of results by allowing you to focus on relevant data.
+- **Include content authored by the data subject**: Retrieve files, documents, or other content created by the data subject. Examples include files uploaded to SharePoint. Enabling this might increase the volume of retrieved data.
+- **Include all versions of items**: Expand SharePoint search results to include all previous versions of items in addition to the most recent one. This option is useful when historical versions are required for review.
+- **Get an estimate first**: Preview the expected amount of data before starting retrieval. Once the estimate appears on the request details page, you can view sample results to ensure they meet expectations. Select **Retrieve data** to proceed with full content retrieval.
+
+## Manage delete requests
+
+Delete requests include unique steps beyond those required for other request types. They enable the removal of personal data while maintaining compliance with retention and regulatory policies.
+
+### Key steps for delete requests
+
+- **Assign approvers**: When creating a delete request, assign at least one approver to review and approve items marked for deletion. Approvers can recommend changes if necessary.
+- **Data review**: Collaborators tag items for deletion by marking them as **Include**. Approvers verify these items and either approve or request adjustments.
+- **Delete workflow**: Approved requests trigger the **PrivaDelete** retention label, which is applied to items eligible for deletion. The deletion process evaluates:
+
+  - Conflicts with existing retention labels.
+  - Unsupported storage locations.
+  - Manually moved or deleted items.
+
+### Interaction with Microsoft Purview Data Lifecycle Management
+
+Microsoft Purview Data Lifecycle Management's features, such as retention labels and policies, are respected during the delete workflow. Key points include:
+
+- **Conflict resolution**: The **PrivaDelete** retention label won't override existing retention labels applied for regulatory or organizational purposes. If an item is already subject to a retention policy, the delete request won't proceed for that item.
+- **Visibility into conflicts**: Items with conflicting retention labels are flagged as priority items for review. Administrators can access the Action execution log to understand why specific items couldn't be deleted.
+- **Principles of retention**: The workflow adheres to Purview's retention principles, ensuring that compliance obligations aren't inadvertently compromised.
+
+Tip: Collaborate with your organization's records management or compliance teams to resolve retention conflicts and communicate with data subjects about items that can't be deleted.
+
+### Monitor progress and resolve conflicts
+
+The **Action summary** card on the request details page tracks the deletion progress, including unresolved conflicts. Use the Action execution log to view detailed reports and address any flagged items.
+
+### Timeline for deletion
+
+Once approved, the delete workflow begins automatically. Eligible items are deleted within 30 days, but conflicts might delay specific deletions. Regularly monitor reports to ensure items are processed as expected.
+
+## Legal disclaimer
+
+[Microsoft Priva legal disclaimer](/privacy/priva/priva-disclaimer?azure-portal=true)