LinkedIn
Copied!

Table of Contents

Configuring the GDPR request management application

Version:

Only available versions of this content are shown in the dropdown

You can configure a GDPR request management application to verify client identity and initiate requests on behalf of a client. You configure your GDPR request management application according to your business needs and the type of interface that you want to offer.

If you do not have a Pega Infinity™ CRM application, Pega Exchange provides a prototype application called the GDPR Accelerator that you can download and customize. For more information, see Pega GDPR Accelerator.

The GDPR Accelerator

You can also create your own GDPR request management application by using the GDPR Accelerator. The case types are children of Demo-GDPR-Work. The GDPR request management application supports the scenario in which a client calls a call center, and the call center operator uses the application to verify the client’s identity and to initiate the request on behalf of the client. You can further automate the process with further customization.

The following figure shows case processing by a GDPR request management application that supports multiple applications.

For example, you can configure your banking application to include a web mashup so that the logged-in client can make a GDPR request directly, without using a call center. In this scenario, the mashup submits the GDPR request.

CBAC cases

CBAC case processing proceeds as follows:

  1. Within the GDPR request management application, a case is created for each client request, and a subcase is created for each repository. For example, for an Access request where three repositories are defined, there are three subcases.
  2. If the subcase is for a repository that represents an application, a REST request is created. (The REST APIs are defined in the DataPrivacy category of the API.) A case is created in the application to handle processing the request. The request results are temporarily stored on the case. The results are sent back to the GDPR request management application subcase, and the personal data is removed from the case in the Pega application. The results are returned to the GDPR request management application by using a REST API over HTTPS.
  3. The results of the subcases are combined in the parent case. When the results have been retrieved by the client, the GDPR request management application removes the personal data from the case, while retaining the other case properties for auditing purposes.

You are responsible for configuring the following items in the GDPR request management application:

Items Responsibility
Repositories Define the repositories as instances of Demo-GDPR-Work-Repository.
REST connectors Define a REST connector for each data privacy call type and request type combination. Pega Platform provides sample REST connectors that you can customize. The connectors take parameters for the application URL and the application name.
Case processing Configure your case flow so that personal data is removed from the case after it has been communicated to the client.

Configuring the Pega application for GDPR access, rectify, and erase requests

When a request is received by an application from the GDPR request management application (or any other application) to access, rectify, or erase personal data, a case instance is created in the application under the appropriate subclass of ClientData-Work. The default processing for ClientData-Work is provided with Pega Platform.

You are responsible for configuring the following in the Pega application:

Items Responsibility
Pega API Configure the API service package to use OAuth 2.0 authentication. This configuration involves creating an OAuth 2.0 client registration instance that refers to the GDPR request management application (or any other application) that makes REST requests. For more information, see the article Accessing the Pega API by using OAuth 2.0.
Operator and access group for REST Create or configure an operator and access group that are responsible for processing incoming CBAC REST requests. This operator is referenced in the OAuth 2.0 client registration that you create above.
  • Assign the PegaRULES:PegaAPIDataPrivacyAdmin role to this access group.
  • Configure the access group for the application where the clients’ personal data is accessed and updated.
Operator and access group for CBAC Create or configure an operator and access group that are responsible for defining CBAC rules.
  • Assign the PegaRULES:SecurityAdministrator role to this access group.
CBAC rules for the Pega database If your application manages personal data in the database that is not known to the default Pega Infinity™ CRM applications, define the CBAC rules for those properties. Default CBAC rules are provided with Pega Infinity™ CRM. You and your legal counsel are responsible for reviewing the CBAC rules and for making revisions as you see fit, based on your interpretation of the regulation, your assessment of the valid business purposes for storing and using client data, and your assessment of competing legal requirements in your industry and country or jurisdiction. For more information, see Defining client-based access control rules.

In addition, you can optionally customize the following behavior.

Items Responsibility
Flows If you need complex flows with multiple steps or manual intervention, define them in the appropriate subclass of ClientData-Work. In the App explorer of Dev Studio, refer to the Process artifacts under the ClientData-Work subclasses.
Asynchronous processing Rectify and erase requests are asynchronous, but asynchronous processing is optional for other request types. To implement asynchronous processing, do the following:
  • Update the Execution mode for the REST services that are in the DataPrivacy category of the Pega API.
  • Enable the job scheduler pyProcessClientDataRequests and update the schedule.
Case history If you do not want to save case history in the application for access requests, update the decision tree FilterHistory in ClientData-Work-Access so that it returns a false value. Case history will still be stored in the GDPR request management application.
Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.