# Handling GDPR Data Deletion Requests with Automation ## Метаданные - **Канал:** n8n - **YouTube:** https://www.youtube.com/watch?v=0Jtvp5gPDp8 - **Дата:** 02.03.2022 - **Длительность:** 15:30 - **Просмотры:** 1,496 ## Описание Getting a data deletion request can be a very time consuming process if done manually. Thomas Martens shows how he created a workflow with n8n to handle GDPR data deletion requests using Slack which is now saving him 3-4 hours per request! This n8n workflow is completely free to use internally. Learn how to customize it for your own needs by watching this video. Get the GDPR Deletion Request Workflow Template here: https://n8n.io/workflows/1455 ---------------------------------------------------------------- About n8n n8n is the leading low-code automation tool, and with over 250 integrations, n8n enables you to connect anything to everything. With n8n you can move beyond simple integrations to build multi-step workflows that combine both 3rd party APIs and your own internal tools to create easy-to-use automations. Thanks to its fair-code distribution model, n8n will always have visible source code, be available to self-host, is completely free for personal or internal use and allows you to add your own custom functions, logic, and apps. Download: https://n8n.io/#get-started Deploy: https://docs.n8n.io/getting-started/installation/ n8n Cloud: https://n8n.io/cloud ## Содержание ### [0:00](https://www.youtube.com/watch?v=0Jtvp5gPDp8) Intro moving forward we got tom with us who is going to talk about a pain point that he came across and how he solved that and he's also going to help us learn a bit more about gdpr so tom over to you thanks so much harshal okay folks the boring part starts now we talk about uh laws and regulations let me share my screen and uh we'll dive right in um it's not that many slides and actually i'm not a lawyer so it will be fairly short don't worry um ### [0:37](https://www.youtube.com/watch?v=0Jtvp5gPDp8&t=37s) What is GDPR just in case you're not familiar with gdpr like it's a term that has been in the news for quite a while this is like a eu european union regulation gdpr stands for general data protection regulation um but if you're not living in an english-speaking country you might know it under slightly different terms like i've listed a few years and there are many more but i don't speak many more languages so there you go the gdpr mostly grants certain rights to individuals so we as a company and it and do have no benefits from ntn but lots of things we need to keep in mind and that will be the same as soon as you process any personal data um but you as a user can benefit from gdpr you can ask companies to do something and they have no choice but to comply with your request uh and we'll go into what this would be in a second uh it has also been like uh mocked by a lot of people but has been quite a success actually there are a few international regulations that mimic most of the gdpr features if you live in california you might have come across the ccpa virginia is currently think on the road to releasing their cbpa and they all cover kind of similar things so um even if you don't have gdpr yet in your country this might become relevant eventually for you ### [1:57](https://www.youtube.com/watch?v=0Jtvp5gPDp8&t=117s) The Right to be Forgotten now what we care about this and this is now my very personal perspective on this individuals have the right to request the erasure of the personal data from companies organizations government agencies and so on this is also known as the right to be forgotten so if you don't like us storing your data you can come to us and say hey please delete my personal information we then have a deadline of one month in total um and that is because we're data controller right so you give us your personal data and we control it we might um give it on to subcontractors to further process it but we still have the obligation to make sure it gets deleted within a month there are some extensions possible but i'm not a lawyer and the gist that i learned after reading through this is you have one month and don't even try to get these extensions um so that's the deadline we have non-compliance can be very expensive um so of listed defines there it's up to 20 million or four percent in annual revenue of the company whatever is more so i can be quite expensive though i have not heard of the highest uh fines being issued in the past and one thing that i've noticed over the last month and was that it's a business it has become a business there are service providers out there that help you enforce these rights so one of the service providers would scan your email inbox for any suspicious messages from companies and would then email the companies for you and request the data deletion for you and on the same side the very same service provider would go to companies say hey do you need any help with uh data deletion we can assist with that if you pay us money so um yeah it has ### [3:37](https://www.youtube.com/watch?v=0Jtvp5gPDp8&t=217s) The Timeline become a business and that has uh led to a noticeable increase now uh how did we deal with this um this is a timeline on the left you see monday tuesday wednesday thursday obviously this represents four random days not all requests come in on a monday but it kind of realistically represents the timeline we have um so monday a request might come in and it would then just read the email acknowledge the request go to the nicest services have a pleasant ui where data deletion isn't really a problem um next i might reach out to other teams that control their own databases and services and i said hey guys can you please delete this uh the data related to this user id uh then whole day is reserved to do with nasty services and there are quite some you wouldn't believe that there are services that don't let you search users by email address or by any id you use internally but require using their own id um so just very few services make it very slow sometimes and on day four is usually the timeline we were looking at the stuff is done confirm deletion all good on the right you see like some of the screenshots from my internal documentation um as imagine this was quite a lengthy process and not much fun so here's a few reasons why the old process wasn't much fun wasn't great it's error prone so you might imagine when dealing with lots of ids lots of different numeric ids might all look similar it's easy to mix them up even when copying when working with email addresses just imagine you leave like a white space at the beginning of a field or the end of a field that obviously will no longer match a user record when talking databases so um simple we're humans lots of human work is involved there's lots of room for errors it's also slow for obvious reasons because well there is uh other stuff to do not just deleting data and it's also in transparent um because uh like imagine i start a monday then get sick on tuesday like no one knows what has been done with this deletion request uh what needs to be done there is also typically no lock at the end of what has happened when something has happened so it's very in transparent and now obviously working at nhn we couldn't keep it like this so how does the new process look ### [5:51](https://www.youtube.com/watch?v=0Jtvp5gPDp8&t=351s) The New Process i'm like i wanted to switch that's it so it has become a simple slash command and um uh now deletion is as simple as issuing this uh slack command and suppose this is very boring to show so let's uh do a quick demo this is the wonderful workflow um it looks a bit convoluted but part on the left is mostly handling slack commands and keeping it flexible commands so let's see actually run the workflow and now let's request data deletion as i said this will be the command and we have little wally here confirming that he's on it i really like wally because he's cleaning up stuff and that's exactly what the workflow does you know switching to the workflow uh we can see that it has received the slash command the first step then is some basic validation so slack does attach a unique token to each request and that can be used by receiving servers to validate the request right so i'm just comparing tokens here um then i use the set node to format my data a bit and that is because the information coming from slack is very comprehensive right lots of data i'm not interested in i don't really want to work with it's just confusing me so i'm using a set note here to simplify it basically in an operation and then an email because that's all i need to know here at this stage and then i use a switch node and the idea is to keep this workflow easily extendable so what this workflow does is it reads the operation and then depending on which operation has been selected it routes the execution to one of the outputs so far it only supports the delete operation but it can easily be extended right so you could easily add a new rule to also process information requests or whatever you have in mind by just connecting it to another output and all of these paths also have error handling so if at any stage validation fails um i would send an error back just to let the user know or in this case like if the token fails i'm just responding with an empty body but uh another in all other cases you would get a nice and talking error like telling me this email address has not been found telling user how to actually do this now let's assume everything is working like here um we just acknowledge the request this is the first wally message saying that's it we then call sub workflows and this is what i really enjoyed working about working with ntn here and all these sub workflows process the deletion in a single service so this workflow is easily extendable and also customizable imagine i no longer want to uh we're no longer using customer. ao data i can simply remove this node and the workflow would still work as expected right there is not much more to it if you need to integrate a new service you can also execute another workflow another sub workflow here and doing this using the execute workflow node this is like a powerful node that just runs a sub workflow and it keeps it nice and clean and now after all these sub workflows have executed i'm just preparing a nice log entry i'm then hashing the email address and uh where do i do this obviously um i want to keep a record of what i've done right when the manager max comes through sorry tom what have you done last week uh like uh it's like nothing really or i've deleted data but i'm not allowed to keep blocks of it um so to not run into this situation i actually do keep blocks but uh without personal information so what i'm doing here is i'm calculating a hash value based on the email address and this is the value we'll use thereafter this also helps in case something does come up so this wasn't just my work this is a collaboration with workflow to mazina and john both from the nhm team have helped here they have worked on each of the sub workflows on getting some of the legal information around this and one of the problems we really had was okay what do we do of about our affiliates so people who would usually get money from us they might reach out and say like hey can you please delete my data and now what does this automatically end the business relationship or not so these were questions that had to be answered turns out in case you're curious yes if you ask a business partner to delete all your personal data you're no longer a business partner you can no longer expect to get paid because there is no more data for your file um well in case complaints come in later and say okay what did i not get paid i could again calculate this hash value and say okay that's because you have deleted the data deletion a few weeks ago a few months ago or whatever and then the last steps are really simple i append this data to add table which is where i keep my log in this case and then respond to slack now the response looks like this so you can see like uh has finished shows me the status with a nice green check mark if it went okay actually it's called white tick um or red cross and a red x if it failed and also has like a deep link to the ad table log so can take a look at how that looks like so here we have the email hash as the unique identifier keeps notes of all the data that has been deleted and this would also be where it would lock any problems so we will take a very brief look in one of the sub workflows in a second in case any problems would have come up this result would not have been done but instead it would have say error and the nodes field would contain details of the errors you can obviously um like customize the logs if you have more in-depth requirements but i think for now this is a good enough process now set customizable teamwork this is a single workflow but there are also lots of these sub workflows and they are what uh was really fun about this process so let's open the zendesk workflow here so you can see this is how one of these sub workflows look like that delete data and um you can see this is actually a credit to john here i've deleted the actual deletion disable the actual deletion just to make sure i'm not accidentally deleting any data while demoing this but you can see like this first node again sets the incoming data it uh also sets some dummy data in case uh which is a really cool feature of in it and it lets you use javascript so i can run the sub workflow on its own if i wanted to test or debug it without triggering from the parent workflow so what i'm doing here is i said i take over the email field that i get from the parent but if it doesn't come through i just set my dummy email address here just something to work with so this workflow would be able to run and then it's just like any other workflow no dark magic here first checking if delete if this is a delete operation if not return an error checking if the user exists if not return success because technically um not every uh user might exist in zendesk right so a non-existing user is a success case from the deletion point of view like don't have anything to delete this was still a success no error um and uh afterwards i delete all my data i'm not doing that here actually but uh in the real world i obviously would delete data here for real requests so if you ever reach out i promise i will delete your data but uh i'm not doing a demo and that's basically the idea so um to just reiterate on these key points for collaboration that i've just mentioned um how we split up the work was we use sub workflows for each of the services that we need to delete data from we agreed on a consistent data structure so we defined how does incoming data for each sub-workflow look like how is the outgoing and keeping it readable set this i have some notes with the default names but most of the notes do have readable names that just describe what they do so avoid keeping notes that are just called http request or if without anything else so ### [13:45](https://www.youtube.com/watch?v=0Jtvp5gPDp8&t=825s) Next Steps where to go from here is my final slide and uh then you are all about my gdpr deletion approaches here um uh you thing i was thinking about was implement additional gdpr processors you've already seen this switch now that i'm using um but funnily if i have not seen a single information request coming into init and it would be rather boring if you've ever signed up to any of the services like if you use edit and cloud we ask for an email address and a nickname and that's it right there is no exciting data to request i suppose that's where no one would ask for that um please don't ask for this now because lots of work for me um second thing is build a ui like i personally love slash commands but not everyone else might um so i was thinking maybe a simple form uh teflon dude has already shown that in a previous community meetup which is really cool how to serve simple forms with ntn so was thinking about making that possible and the last thing is connect to manual operations so not every team you're working with might want you to update their production database so the idea was um you cannot send out slack messages from nan or mata most messages that attach buttons where people can confirm once they have done something and this is something i wanted to work on next and that's how we currently handle the car deletion at an end you --- *Источник: https://ekstraktznaniy.ru/video/15724*