Auth0 has done the research to help you keep up with changing privacy regulations. Our docs and blogs provide the overviews you need to understand the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), compliance, data privacy, and consent management topics.
To keep up with evolving privacy regulations, the Auth0 Lab team actively explored how to help organizations deal with data subject access requests (DSARs) in 2021. The more we researched, the more we realized that solving this problem was complex. Shortly after the acquisition of Auth0, the Okta Ventures team introduced us to DataGrail which is a portfolio company and who already had a DSAR solution ready to deploy.
The Complexity of Data Subject Requests
The European Union (EU) Commission was tasked with unifying multiple approaches to data privacy. This need to find a solution that would work for all the countries within the EU helped drive a simplified set of regulations for data ecosystems under the GDPR. A clear dichotomy emerged between a data controller and a data processor. An organization that determined how and why to use personal data (a “controller”) would hire a company to process personal data on its behalf and under its instructions (a “processor”). If an individual wanted to exercise a DSAR, that individual would simply ask the controller about what personal data they had, to delete their personal data, or another request about their personal data, and the controller would just send that request to the processor to obtain the information and share it with the individual.
Easy! Except only the simplest organizations have a technology stack that is this uncomplex.
In reality, the problem is far more complex. An organization might have data stored in application databases, CRMs (customer relationship management), logfiles, ad placement platforms, and a host of other business applications. So what seems like a simple relationship turns into a mess. Here’s what an example could look like (these relationships don’t necessarily exist).
We have spoken to organizations with data ecosystems that were far more complicated than this!
Suddenly, a DSAR could involve a dozen applications and the administrators of each. A privacy operations professional needs to keep up-to-date with the various applications used across an organization to make sure personal data is accessed or removed from each. Failure to respond to a single request could result in a massive penalty for an organization, as this example illustrates:
The Solution, a Data Privacy Platform like DataGrail
DataGrail is a data privacy platform that maps where Personally Identifiable Information (PII) lives across your organization and then tracks, automates, and delivers DSRs. We use DataGrail’s Request Manager at Auth0 and Okta, and it helps us manage requests across our own complex marketing stack.
How it works
When built with intention, holistic privacy programs ensure consumers are able to receive transparent and timely responses about their personal data, while internal teams can produce a single audit trail and avoid extensive manual effort. DataGrail takes four primary steps to create both outcomes:
DSR forms. DataGrail provides branded, user-friendly, accessible forms that can be embedded directly on your website. These forms are simple and comprehensive, so consumers spend less time submitting their DSRs, and internal teams receive all the information needed to fulfill the request quickly. Here’s Okta’s form powered by DataGrail.
Identity verification. Before submissions make their way to our team, DataGrail’s Smart Verification tech checks to ensure the request isn’t fraudulent, so personal data stays private until the individual verifies their identity. Through the DataGrail integration, customers can configure their setup to leverage personal data that is already held within Auth0 to authenticate a submitter’s identity, so they don’t have to volunteer additional personal information like IDs passports, or photographic evidence.
Request automation. All DSRs are automatically and centrally organized. Whether the incoming request specifies a desire for access, deletion, or to update personal data, DataGrail connects to tools across your organization (internal and third party) so that you can avoid managing manual processes in a spreadsheet. The direct connection to your tools helps avoid security risks and gaps that are introduced by manual efforts.
Audits and compliance. DataGrail’s dashboard tracks the full request lifecycle in one place. You can see up-to-date logs, ensure requests are tracked and enable consumers to choose to receive their DSRs in PDF and other machine-readable formats.
DataGrail makes it possible for consumers to effortlessly and safely request their personal data while reducing the manual efforts by our operational teams in carrying out DSRs.
Auth0 Marketplace Integration
You can find the DataGrail marketplace integration here: https://marketplace.auth0.com/integrations/datagrail. You can set it up in as little as 15 minutes!
1. Add a DataGrail Application
Head over to your Applications in your management dashboard and create a new application.
Name it something that represents the integration and select “Machine to Machine Applications.”
2. Authorize Access
The next step in the flow will prompt you to select which API and scopes will have access. Select the Auth0 Management API, and select the following:
3. Configure Application and Gather Connection Data
In the application screen for your new application, head to the settings tab, and then scroll down to Application URIs.
Add https://datagrail.com/oauth/auth to the “Allowed Callback URLs”:
Save changes and move to the Basic Information form.
Here you’ll find the necessary information to enter into your DataGrail integration page.
4. Enter Necessary Information in DataGrail
- Return to the DataGrail Portal (window should be open in a separate tab).
- Click Connect within the Integration page for Auth0.
- Enter Subdomain, Client ID and Client Secret obtained from Step 1.
- Click Connect Auth0
If there are additional Auth0 accounts to integrate, follow these instructions:
a. Click Edit Connection within the Integration page for Auth0. b. From the drop-down, select +Add New Connection.
c. Under Connection Name, enter a new name to identify this separate account (ex: Auth0 Training Account).
d. Repeat Step 1 to copy Subdomain, Client ID and Client Secret for this new account.
e. Enter Subdomain, Client ID and Client Secret.
f. Click Connect.In the DataGrail Portal, if you have any other integrations not connected (no green check mark), please click Connect to complete the configuration and reference the Help Docs link for instructions
You can always email DataGrail for help at support@datagrail.io with any issues or questions regarding your integrations.
Connecting with Auth0 and Okta Ventures
DataGrail is integrated with multiple teams at Okta. You can start your partnership journey by reaching out to any one of these teams:
The Auth0 Marketplace is always looking for partners to build new extensions onto Auth0. Visit https://auth0.com/integrate to learn more.
The Okta Ventures team is actively seeking new innovative organizations. You can apply for funding here: https://www.okta.com/okta-ventures-application.
You can follow the research and experiments of the Auth0 Lab team on Twitter and start a conversation with us on Discord.
About Auth0
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.
About the author
Samuel Frank
Senior Product Manager