ServiceNow GRC: Personal Data Rights — Implementation Guide for the External Request Portal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
an hour ago
Why Does This Application Exist?
Data protection laws — GDPR, CCPA/CPRA, and India's DPDPA — legally mandate that organizations respond to consumer requests to access, correct, or delete their personal data within strict timeframes. Compliance teams lacked a centralized system to intake these requests and automatically delegate them to the right IT, HR, or legal administrators.
ServiceNow GRC: Personal Data Rights was built to fill that gap.
What Is GRC: Personal Data Rights?
A ServiceNow Store application that enables organizations to manage and fulfill Data Subject Access Requests (DSARs) at scale. It provides:
- A public-facing external portal for requesters — no ServiceNow login required
- Configurable workflows to route tasks to the right data administrators
- SLA tracking and automated notifications to meet regulatory deadlines
- Data registries to centrally manage personal data sources across systems
Supported request types: Right to Know, Right to Delete, Right to Correct, Right to Opt-Out
How to Implement
1. Requirements
| Release | Zurich and above (Yokohama recommended) |
| License | GRC Professional or Enterprise |
2. Install Required Plugins
Go to System Applications → All Available Applications → All and install both:
- GRC: Privacy Management
- GRC: Personal Data Rights
Tip: Enable Load demo data during installation to pre-populate request types, jurisdictions, and sample configurations.
PDI Note: GRC plugins may not appear immediately on a fresh PDI. Wait ~24 hours or click Sync Now in the Application Manager.
3. Assign Roles
| sn_privacy.admin | Core privacy administration |
| sn_grc_pdr.data_owner_admin | PDR form and registry configuration |
4. Configure Request Types
Navigate to: All → Personal Data Rights → Request Configuration → Request Types
If demo data was loaded, standard request types are already present. Otherwise, select New to create them manually, mapping each to the applicable jurisdictions and data subject types.
📄 Configure PDR Request Types — ServiceNow Docs
5. Configure the External-Facing Form
Navigate to: All → Personal Data Rights → External Form Configuration
This is where most administrators get stuck — the portal is configured here, not on the form itself.
- If an active record already exists, open it → uncheck Active → click Update
- Then select New and configure jurisdictions, data subject types (Customer, Ex-Employee, Prospect, Third Party), request types, and authorized agent settings
📄 Configure External PDR Form — ServiceNow Docs
6. Access and Test the Portal
Open an incognito browser and navigate to:
https://[your-instance].service-now.com/now/grc/portal/public/pdrSubmit a test request. The system sends an OTP to the provided email for identity verification before creating a case.
PDI Testing Tip: Go to System Mailboxes → Outbound to retrieve the OTP if outbound email isn't fully configured.
7. Manage Requests in the Workspace
Navigate to: All → Personal Data Rights Workspace
Track all incoming requests, monitor SLA status, and manage action task assignments through to fulfillment.
Quick Troubleshooting
| Plugins not visible in App Manager | Wait 24 hours on a fresh PDI, or click Sync Now |
| External form configuration menu missing | Verify sn_privacy.admin role is active |
| OTP not received | Check System Mailboxes → Outbound |
| No request types on form | Load demo data or create request types manually |
Questions or edge cases not covered here? Drop a comment below.
If you find the article helpful, please hit the Helpful button.
Thanks,
Vinod Kumar M