We're reclaiming inactive PDIs to keep them available for active builders. Learn what's changing, who's affected, and how to protect your work. Read More

ServiceNow GRC: Personal Data Rights — Implementation Guide for the External Request Portal

Vinod54
Tera Guru

Why Does This Application Exist?

Data protection laws — GDPR, CCPA/CPRA, and India's DPDPA — legally mandate that organizations respond to consumer requests to access, correct, or delete their personal data within strict timeframes. Compliance teams lacked a centralized system to intake these requests and automatically delegate them to the right IT, HR, or legal administrators.

ServiceNow GRC: Personal Data Rights was built to fill that gap.


What Is GRC: Personal Data Rights?

A ServiceNow Store application that enables organizations to manage and fulfill Data Subject Access Requests (DSARs) at scale. It provides:

  • A public-facing external portal for requesters — no ServiceNow login required
  • Configurable workflows to route tasks to the right data administrators
  • SLA tracking and automated notifications to meet regulatory deadlines
  • Data registries to centrally manage personal data sources across systems

Supported request types: Right to Know, Right to Delete, Right to Correct, Right to Opt-Out


How to Implement

1. Requirements

Item Detail
ReleaseZurich and above (Yokohama recommended)
LicenseGRC Professional or Enterprise

2. Install Required Plugins

Go to System Applications → All Available Applications → All and install both:

  • GRC: Privacy Management
  • GRC: Personal Data Rights

Tip: Enable Load demo data during installation to pre-populate request types, jurisdictions, and sample configurations.

PDI Note: GRC plugins may not appear immediately on a fresh PDI. Wait ~24 hours or click Sync Now in the Application Manager.


3. Assign Roles

Role Purpose
sn_privacy.adminCore privacy administration
sn_grc_pdr.data_owner_adminPDR form and registry configuration

4. Configure Request Types

Navigate to: All → Personal Data Rights → Request Configuration → Request Types

If demo data was loaded, standard request types are already present. Otherwise, select New to create them manually, mapping each to the applicable jurisdictions and data subject types.

📄 Configure PDR Request Types — ServiceNow Docs


5. Configure the External-Facing Form

Navigate to: All → Personal Data Rights → External Form Configuration

This is where most administrators get stuck — the portal is configured here, not on the form itself.

  • If an active record already exists, open it → uncheck Active → click Update
  • Then select New and configure jurisdictions, data subject types (Customer, Ex-Employee, Prospect, Third Party), request types, and authorized agent settings

📄 Configure External PDR Form — ServiceNow Docs


6. Access and Test the Portal

Open an incognito browser and navigate to:

 
https://[your-instance].service-now.com/now/grc/portal/public/pdr

Submit a test request. The system sends an OTP to the provided email for identity verification before creating a case.

PDI Testing Tip: Go to System Mailboxes → Outbound to retrieve the OTP if outbound email isn't fully configured.


7. Manage Requests in the Workspace

Navigate to: All → Personal Data Rights Workspace

Track all incoming requests, monitor SLA status, and manage action task assignments through to fulfillment.


Quick Troubleshooting

Issue Fix
Plugins not visible in App ManagerWait 24 hours on a fresh PDI, or click Sync Now
External form configuration menu missingVerify sn_privacy.admin role is active
OTP not receivedCheck System Mailboxes → Outbound
No request types on formLoad demo data or create request types manually

 

Questions or edge cases not covered here? Drop a comment below.

 

If you find the article helpful, please hit the Helpful button. 

 

Thanks,

Vinod Kumar M

0 REPLIES 0