Microsoft Purview · Privacy Management (Priva)

Subject Rights Request Administrators

Full administrative rights to create and manage subject rights requests (SRRs). Can handle GDPR, CCPA, and other privacy regulation requests including access, export, tagged list, and delete requests. Can add approvers and manage entire SRR lifecycle.

Scope: Full administrative access to create, manage, and complete subject rights requests for GDPR, CCPA, PIPEDA, and other privacy regulations.

Permissions

  • Create new subject rights requests (access, export, tagged list, delete)
  • Manage all subject rights requests across the organization
  • Add approvers for subject rights requests
  • Configure SRR search settings and data source scopes
  • Review and approve data collected by subject rights requests
  • Mark files as included/excluded for export or deletion
  • Generate data packages for data subjects
  • Export file content for subject rights request responses
  • Manage delete requests and approve deletion workflows
  • Add collaborators to subject rights requests
  • Create and manage Teams collaboration channels for SRRs
  • Configure subject rights request templates
  • Set data retention limits for SRR data
  • Generate audit logs and compliance reports for SRRs
  • Close and archive completed subject rights requests
  • Tag files during data review for follow-up actions
  • Annotate and redact files for data subject responses
  • Manage SRR workflows from creation to completion

Common use cases

  • Responding to GDPR Article 15 data subject access requests (DSARs)
  • Processing CCPA consumer rights requests
  • Handling "right to be forgotten" deletion requests under GDPR Article 17
  • Fulfilling "right to data portability" export requests
  • Managing subject rights requests for PIPEDA (Canada) compliance
  • Coordinating cross-functional SRR response with legal, IT, HR
  • Creating subject rights request workflows and templates
  • Reviewing and approving data collected for SRR responses
  • Generating data packages for data subject delivery
  • Managing delete request approvals and execution
  • Collaborating with legal counsel on complex SRRs
  • Tracking SRR processing times for regulatory compliance
  • Preparing SRR documentation for regulatory audits
  • Handling escalated or high-risk subject rights requests

Best practices

  • Create SRR templates for common request types (access, export, delete)
  • Define clear SRR workflows with approval gates for sensitive requests
  • Use Teams collaboration channels to coordinate cross-functional SRR teams
  • Add approvers for delete requests to ensure proper authorization
  • Document identity verification steps before fulfilling requests
  • Review collected data thoroughly before generating export packages
  • Use annotation and redaction tools to protect third-party privacy
  • Set reasonable deadlines based on regulatory requirements (30 days GDPR)
  • Add collaborators from legal, IT, HR for complex requests
  • Generate audit logs for all SRRs for regulatory compliance documentation
  • Configure data retention limits to auto-delete old SRR data
  • Use tags during data review to flag items for further attention
  • Monitor SRR processing times to meet regulatory deadlines
  • Coordinate with legal before fulfilling requests from litigants
  • Establish identity verification procedures before data delivery

Security considerations

  • This role has access to sensitive personal data collected by SRRs
  • Subject rights requests may reveal confidential business information
  • Must verify data subject identity before fulfilling requests
  • Delete requests are irreversible - requires approval workflow
  • Export packages may contain sensitive personal data - handle securely
  • All SRR activities are logged in Microsoft 365 audit log
  • Coordinate with legal before fulfilling requests during litigation
  • SRR data may be subject to legal holds - check before deletion
  • Cross-border SRRs may have data sovereignty implications
  • Attorney-client privileged content may be collected - review carefully
  • Monitor audit logs for unauthorized SRR creation or data access
  • Use encrypted channels for delivering export packages to data subjects
  • Delete request approval should require multiple approvers
  • Subject rights requests may expose security vulnerabilities - coordinate with SecOps

Common questions

When should I assign the Subject Rights Request Administrators role?

Assign Subject Rights Request Administrators when you need to: Responding to GDPR Article 15 data subject access requests (DSARs); Processing CCPA consumer rights requests; Handling "right to be forgotten" deletion requests under GDPR Article 17; Fulfilling "right to data portability" export requests; and Managing subject rights requests for PIPEDA (Canada) compliance. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Subject Rights Request Administrators role do?

The Subject Rights Request Administrators role grants permissions including: Create new subject rights requests (access, export, tagged list, delete); Manage all subject rights requests across the organization; Add approvers for subject rights requests; Configure SRR search settings and data source scopes; Review and approve data collected by subject rights requests; and Mark files as included/excluded for export or deletion. See the Permissions section above for the full list.

What are the security risks of the Subject Rights Request Administrators role?

Key considerations when assigning Subject Rights Request Administrators: This role has access to sensitive personal data collected by SRRs; Subject rights requests may reveal confidential business information; Must verify data subject identity before fulfilling requests; and Delete requests are irreversible - requires approval workflow. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →