Overview
Skill Level: Intermediate
Watson Campaign Automation provides APIs for data controllers to fetch a contact's data as part of Right of Access processing and submit erasure requests as part of Right to Erasure processing through a batched asynchronous job api. The responses from the asynchronous job are available for download for up to 3 days after the job at which time the GDPR job responses are deleted as they can have personal data.
Prerequisites
GDPR Lookup Keys must be specified within Watson Campaign Automation.
It is recommended to collate the requests so that minimum calls are made to Watson Campaign Automation so that overall performance is not impacted for your organization.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Database GDPR Lookup Key Setup
Within your database, you are able to select up to 5 fields from the GDPR LookUp Fields screen that you will use for GDPR lookups. To configure this setup, take these steps:
- Click Settings on the Database details screen.
- Select up to 5 fields that you want to use as GDPR LookUp Fields by clicking the GDPR LookUp Fields tab.
Note: Lookup keys are a feature of Flexible Key databases and Email is used for the GDPR Lookup on Restricted databases.
Items of Importance
It is possible that a message is received after an opted-in data subject submits a Right to Erasure request to IBM. This occurs because the message was already scheduled for delivery prior to the Right to Erasure request being submitted.
Relational Table setup for Right to Erasure API call
For the Watson Campaign Automation Right to Erasure API to process the erasure of information from a Relational Table where the Relational Table has contact specific personal data, you need to select the radio button next to Delete records in the Relational Table settings.
Step-by-step
-
API Request
Use the following API requests to call the GDPR Right to Erasure API.
- Database – POST /databases/{databaseId}/gdpr_erasure
- Provide a database Id in the API request path to identify the database which the data subject will be removed from. To remove a data subject from more than one database, a unique call must be made for each database Id.
-
The body of the POST must contain a CSV with one or more column names and the identifiers to be looked up for each column name. The content-type will be ‘text/csv’. See the example below:
“MobileNumber”,“15063434670”
“MobileNumber”,“15066754325”
“Email”,”john@domain.com”
“MobileNumber”,“18884266840”
“Email”,”jill@domain.com”,
“Email”,”jack@somedomain.com”
Note: Suppression lists are supported for erasure requests. Removing an email address from the suppression list creates some risk that the data subject will receive an email if another process, such as ImportList, adds the data subject back to a database.
-
Processing
The Watson Campaign Automation /gdpr_erasure API will respond synchronously with a 202 – Accepted along with a response header named location which will have the URI for job status. (e.g. http://api5.ibmmarketingcloud.com/rest/gdpr_jobs/{jobId}/status)
The GET method for /gdpr_jobs/{jobId}/status returns a high level status that indicates whether processing is:
- WAITING
- IN PROGRESS
- COMPLETE
- ERROR
When processing completes with a status of SUCCESS, the WCA status API response will also include a response header named ‘location’ having the URI for job results. (e.g. http://api5.ibmmarketingcloud.com/rest/gdpr_jobs/{jobId}/response)
Erasure Processing when Database Id Provided
For each record, find any matching contacts (even if already soft deleted) in the specified database and perform the following:
- Delete each contact record.
- For a Double Opt-In database, find any matching email addresses in the pre-opt-in database and remove them.
- Delete any Universal Behaviors for the contact
- Notify the following sub-systems of the Right to Erasure request when relevant:
- mGage (SMS)
- Mobile Customer Engagement (Push Notifications)
- Universal Behavior Exchange (UBX)
- Save audit record of the request
- Notify the following sub-systems of the Right to Erasure request when relevant:
-
GDPR Right To Erasure Job Submission Against a Marketing Database
Request Method
POST
Request URI
/databases/{databaseId}/gdpr_erasure
Sample URL
https://api0.ibmmarketingcloud.com/rest/databases/10091/gdpr_erasure
Request Headers
Authorization: Bearer WCA_ACCESS_TOKEN
Content-Type: text/csv
Request Body – one identifier name-value pair on each line
GDPR Lookup Key Column Name, GDPR Identifier Value
Sample Request Body
EMAIL,user1@eng.silverpop.com
EMAIL,user2@eng.silverpop.com
EMAIL,user99@eng.silverpop.com
EMAIL,nonexistent@eng.silverpop.com
Successful Response
Status code: 202
Response Header includes Location to poll for job status
Sample value
Location: https://api0.ibmmarketingcloud.com/rest/gdpr_jobs/33/status
Response Body
{
“location”: “https://api0.ibmmarketingcloud.com/rest/gdpr_jobs/33/status”,
“id”: 33
}
-
GDPR Get Job Status and Job Response
Get Job Status
Request Method
GET
Request URI
/gdpr_jobs/{jobId}/status
Sample URL
https://api0.ibmmarketingcloud.com/rest/gdpr_jobs/32/status
Request Headers
Authorization: Bearer WCA_ACCESS_TOKEN
Successful Response
Status code: 303
Response Header includes Location to fetch job result/response
Sample value
Location: https://api0.ibmmarketingcloud.com/rest/gdpr_jobs/32/response
{
“location”: “http://localhost:8081/rest/gdpr_jobs/32/response”,
“status”: “SUCCESS”
}
Possible values for status: SUBMITTED, IN_PROGRESS, SUCCESS, FAILED
GDPR Job Response
Request Method
GET
Request URI
/gdpr_jobs/{jobId}/response
Sample URL
https://api0.ibmmarketingcloud.com/rest/gdpr_jobs/32/response
Request Headers
Authorization: Bearer WCA_ACCESS_TOKEN
Successful Response
Status code: 200
-
Sample Response for a Right to Erasure job
{
“databaseId”: 10091,
“timestamp”: “2018-03-22T05:04:54.123Z”,
“contacts”: [
{
“contactFound”: true,
“contactDeleted”: true,
“gdprIdentifiers”: [
{
“name”: “EMAIL”,
“value”: “user1@eng.silverpop.com”
}
]
},
{
“contactFound”: true,
“contactDeleted”: true,
“gdprIdentifiers”: [
{
“name”: “EMAIL”,
“value”: “user2@eng.silverpop.com”
}
]
},
{
“contactFound”: false,
“contactDeleted”: false,
“gdprIdentifiers”: [
{
“name”: “EMAIL”,
“value”: “nonexistent@eng.silverpop.com”
}
]
}
]
}