Privacy Rights

Latest Dynatrace

Privacy Rights Privacy Rights empowers you to address and manage customer requests related to their data subject rights under applicable data protection laws (for example, GDPR and CCPA/CPRA).

The built-in workflows provide a straightforward method to search for data associated with end users. You can then review the retrieved personal data and make informed decisions about exporting it. The system also allows you to track and follow up on these requests through the request dashboard. Each step is documented with an audit trail to ensure compliance with your obligations. Privacy Rights only supports the export of logs.

To install Privacy Rights, find Privacy Rights Privacy Rights in Dynatrace Hub Hub and select Install.

Export requests

To obtain a personal data export, you need to fill in a request export form.

In the request, specify:

  • User details such as user type. This can be an end user (your customer) or an employee.
  • A user identifier such as an email address, IP address, or a custom user ID.
  • The Grail search scope (timeframe and log buckets).

Best practices

To limit the scope of export requests:

  • Use the shortest possible timeframe and select relevant buckets only.

  • Make sure you aren't exporting personal data of other individuals or confidential data.

  • Use policies to help ensure that your organization’s policies regarding personal data exports are followed.

    Policies map policy requirements to DQL that can be applied to refine the export query. For example, if you have a financial_logs bucket and your organizational policy is that this should never be included in personal data exports, you can create an export policy | filter dt.system.bucket != “financial_logs” and apply this to all export requests by default.

  • Consider the number of logs you export. The higher the number, the more difficult it is to review the data to confirm that it can be provided to the customer.

Audit log

Privacy Rights ingests log entries as audit logs. This allows you to audit and download historical actions, such as request creation, request approval, and policy creation.

By default, audit logs go to the default_logs bucket. To change this, you can assign your logs to a privacy_audit bucket. This is a custom bucket that needs to be created manually, and the name is not configurable. You can customize the retention period to suit your needs and restrict access to the bucket using IAM policies.

You also need to manually set up a bucket assignment rule. To do this, go to Settings > Log Monitoring > Bucket assignment. Ensure that the rule has higher priority than any other rules that might assign the app’s logs to a different bucket, such as Audit logs.

If no audit logs are visible and the privacy_audit bucket does not exist, there may be a bucket assignment rule that assigns the app’s audit logs to a different bucket than default_logs. In such cases, add an assignment rule that assigns the audit logs to default_logs and sets its priority higher than other rules.

Policies

With Privacy Rights, you can also create and manage request policies to enrich or filter request results, for example, to prevent the deletion of audit logs and compliance records.

When creating a policy, you can define its conditions using DQL. We suggest the following:

  • Use the parse command to extract personal data fields from your logs, such as a profile ID or IP address
  • Use the filter command to exclude data that should not be deleted, such as audit logs or compliance records.

Grant access with IAM permissions

To use Privacy Rights, you need certain IAM permissions to make sure it functions correctly. You can grant these permissions by assigning them to a group with the following IAM policy:

ALLOW app-engine:apps:run WHERE shared:app-id = 'dynatrace.privacy.rights';
ALLOW state:app-states:read, state:app-states:write, state:app-states:delete WHERE shared:app-id = 'dynatrace.privacy.rights';
ALLOW email:emails:send;
ALLOW storage:buckets:read;
ALLOW storage:logs:read;
ALLOW storage:logs:write;

This policy should be bound to the group as an environment policy. The group should also include the view logs permission for the environment. We recommend restricting app engine and app state permissions to the app ID, unless the user also needs access to other apps.

Restrict access with IAM permissions

Privacy requests contain sensitive data, so you may want to restrict which users have access to Privacy Rights. To prevent users from being able to open the app or query its app state, while still granting them access to other platform apps, you can assign them to a group with the following policy:

ALLOW app-engine:apps:run WHERE shared:app-id != 'dynatrace.privacy.rights';
ALLOW state:app-states:read, state:app-states:write, state:app-states:delete WHERE shared:app-id != 'dynatrace.privacy.rights';

IAM policies are additive, so make sure that no other policies including the ALLOW app-engine:apps:run or ALLOW state:app-states:{read, write, delete} permissions (such as the default AppEngine - User policy) are active for these users.

They should also not be granted state-management:app-states:delete, which would allow them to delete requests or have read access to audit logs in the default_logs or privacy_audit buckets (depending on your chosen audit logging configuration).