Microsoft Purview · Privacy Management (Priva)

Subject Rights Request Approvers

Can approve subject rights requests to which they are added as an approver. Typically used for approving delete requests or other high-risk SRRs requiring secondary authorization. Provides approval gate for sensitive SRR operations.

Scope: Approval authority for subject rights requests to which the user is specifically added as an approver. Typically used for delete request authorization.

Permissions

  • Approve or reject subject rights requests assigned to them
  • Review subject rights request details before approval
  • View data collection scope and search criteria for SRRs
  • Review files marked for deletion in delete requests
  • Provide approval for export package generation
  • Add approval comments and justifications
  • View SRR workflow status and timeline
  • Receive notifications when added as approver to SRR
  • Review data subject information for identity verification
  • Access SRR audit trail and activity history
  • CANNOT create new subject rights requests
  • CANNOT modify SRR settings or configurations
  • CANNOT add/remove other approvers
  • CANNOT execute deletions (only approve)

Common use cases

  • Approving GDPR Article 17 "right to be forgotten" delete requests
  • Authorizing deletion of employee data after termination
  • Reviewing high-risk subject rights requests before fulfillment
  • Approving export requests containing sensitive business data
  • Providing legal counsel approval for complex SRRs
  • Authorizing cross-border data transfer requests
  • Approving SRRs that may impact ongoing litigation
  • Reviewing delete requests for regulatory compliance
  • Providing HR approval for employee data deletion
  • Authorizing SRRs involving executive or board member data
  • Approving SRRs requiring multiple stakeholder coordination
  • Reviewing tagged list requests for follow-up actions

Best practices

  • Add Approvers to all delete requests for dual authorization
  • Use Approvers for SRRs involving sensitive or executive data
  • Require legal counsel approval for SRRs during litigation
  • Document approval justifications in SRR comments
  • Review collected data scope before approving delete requests
  • Verify data subject identity confirmation before approval
  • Check for legal holds before approving deletion
  • Coordinate with IT before approving large-scale deletions
  • Use multiple Approvers for high-risk or complex SRRs
  • Establish approval criteria and SLA for timely responses
  • Monitor pending approvals to meet regulatory deadlines
  • Reject SRRs if identity verification is insufficient
  • Escalate complex approval decisions to privacy counsel
  • Maintain audit trail of all approval decisions

Security considerations

  • Approvers have authority to authorize irreversible data deletion
  • Must verify that delete requests do not violate legal holds
  • All approval decisions are logged in Microsoft 365 audit log
  • Approvers may view sensitive personal data in SRR scope
  • Delete approval should be treated with same care as data destruction
  • Monitor audit logs for approval patterns or anomalies
  • Coordinate with legal before approving SRRs during litigation
  • Delete requests may expose security vulnerabilities - coordinate with SecOps
  • Consider data retention policies before approving deletions
  • This role is lower privilege than SRR Administrator but still sensitive
  • Inappropriate approval could lead to data loss or regulatory violations
  • Establish approval criteria to prevent unauthorized deletions

Official Microsoft Learn documentation →

Open the interactive RBACMap →