Data subject request response¶
Trigger: a GDPR data subject access request (SAR), a deletion request, a portability request, or an objection to processing has arrived. These are legal rights, and a response is required.
The clock starts when a request recognisable as such is received. The deadline is one calendar month. Extensions of two further months are available for complex or numerous requests, but the requester has to be notified within the first month if one is used.
Verify the requester’s identity¶
Before disclosing anything, confirm the request comes from the person it claims to. This is a proportionate step to stop a bad actor extracting someone else’s data by impersonation.
Proportionate means verification commensurate with the sensitivity of the data. For a low-risk request, confirming the registered email address is usually enough. For sensitive or high-volume data, a copy of identity documentation may be warranted.
Where it is simple, complete it quickly.
Identify what data is held¶
Search across every system that may hold data about the person, including:
The primary database or CRM
Email archives (search the name and email address)
Support ticketing systems
Marketing and analytics platforms
Backups, yes, including these
Any third-party processors the data has been shared with
A data audit run beforehand means the locations are already known. Failing that, see the data audit playbook.
Prepare the response¶
For an access request: compile the data into a readable format. GDPR requires the categories of data, the purposes of processing, any third parties it has been shared with, the source if not collected directly, and the retention period.
No particular format is mandated, but it has to be accessible and clear. A compressed archive of raw database exports is not an appropriate response.
Redact any third-party personal data in the records before disclosing: where records include emails sent by other people, those people’s data is protected too.
For a deletion request: identify what can be deleted and what has to be retained for legal reasons (legal obligation, ongoing contract). Delete what can be deleted, and tell the requester what was retained and why.
For a portability request: provide the data in a structured, commonly used, machine-readable format (CSV is acceptable; a PDF is not).
Respond formally¶
Send a written response within the deadline, including:
Confirmation that the request was received.
The data provided (for SARs), or confirmation of the deletion or action taken.
An explanation of any data withheld and the legal basis for withholding it.
The requester’s right to complain to a supervisory authority if unsatisfied.
Document everything¶
Record the date the request arrived, the identity verification performed, the data located, the response sent, and the date it went out. This record is required if the supervisory authority later asks for a demonstration of compliance.
Last reviewed: 2026-07-08.