Microsoft Purview · Privacy Management (Priva)

Subject Rights Request Administrators

Full administrative rights to create and manage subject rights requests (SRRs). Can handle GDPR, CCPA, and other privacy regulation requests including access, export, tagged list, and delete requests. Can add approvers and manage entire SRR lifecycle.

Scope: Full administrative access to create, manage, and complete subject rights requests for GDPR, CCPA, PIPEDA, and other privacy regulations.

Permissions

  • Create new subject rights requests (access, export, tagged list, delete)
  • Manage all subject rights requests across the organization
  • Add approvers for subject rights requests
  • Configure SRR search settings and data source scopes
  • Review and approve data collected by subject rights requests
  • Mark files as included/excluded for export or deletion
  • Generate data packages for data subjects
  • Export file content for subject rights request responses
  • Manage delete requests and approve deletion workflows
  • Add collaborators to subject rights requests
  • Create and manage Teams collaboration channels for SRRs
  • Configure subject rights request templates
  • Set data retention limits for SRR data
  • Generate audit logs and compliance reports for SRRs
  • Close and archive completed subject rights requests
  • Tag files during data review for follow-up actions
  • Annotate and redact files for data subject responses
  • Manage SRR workflows from creation to completion

Common use cases

  • Responding to GDPR Article 15 data subject access requests (DSARs)
  • Processing CCPA consumer rights requests
  • Handling "right to be forgotten" deletion requests under GDPR Article 17
  • Fulfilling "right to data portability" export requests
  • Managing subject rights requests for PIPEDA (Canada) compliance
  • Coordinating cross-functional SRR response with legal, IT, HR
  • Creating subject rights request workflows and templates
  • Reviewing and approving data collected for SRR responses
  • Generating data packages for data subject delivery
  • Managing delete request approvals and execution
  • Collaborating with legal counsel on complex SRRs
  • Tracking SRR processing times for regulatory compliance
  • Preparing SRR documentation for regulatory audits
  • Handling escalated or high-risk subject rights requests

Best practices

  • Create SRR templates for common request types (access, export, delete)
  • Define clear SRR workflows with approval gates for sensitive requests
  • Use Teams collaboration channels to coordinate cross-functional SRR teams
  • Add approvers for delete requests to ensure proper authorization
  • Document identity verification steps before fulfilling requests
  • Review collected data thoroughly before generating export packages
  • Use annotation and redaction tools to protect third-party privacy
  • Set reasonable deadlines based on regulatory requirements (30 days GDPR)
  • Add collaborators from legal, IT, HR for complex requests
  • Generate audit logs for all SRRs for regulatory compliance documentation
  • Configure data retention limits to auto-delete old SRR data
  • Use tags during data review to flag items for further attention
  • Monitor SRR processing times to meet regulatory deadlines
  • Coordinate with legal before fulfilling requests from litigants
  • Establish identity verification procedures before data delivery

Security considerations

  • This role has access to sensitive personal data collected by SRRs
  • Subject rights requests may reveal confidential business information
  • Must verify data subject identity before fulfilling requests
  • Delete requests are irreversible - requires approval workflow
  • Export packages may contain sensitive personal data - handle securely
  • All SRR activities are logged in Microsoft 365 audit log
  • Coordinate with legal before fulfilling requests during litigation
  • SRR data may be subject to legal holds - check before deletion
  • Cross-border SRRs may have data sovereignty implications
  • Attorney-client privileged content may be collected - review carefully
  • Monitor audit logs for unauthorized SRR creation or data access
  • Use encrypted channels for delivering export packages to data subjects
  • Delete request approval should require multiple approvers
  • Subject rights requests may expose security vulnerabilities - coordinate with SecOps

Official Microsoft Learn documentation →

Open the interactive RBACMap →