Data subject request response

Trigger: you have received a GDPR data subject access request (SAR), a deletion request, a portability request, or an objection to processing. These are legal rights. You are required to respond.

The clock starts when you receive a request you can recognise as such. The deadline is one calendar month. Extensions of two further months are available for complex or numerous requests, but you must notify the requester within the first month if you are using one.

Verify the requester’s identity

Before disclosing anything, confirm that the request is from the person it claims to be from. This is a proportionate step to prevent a bad actor from extracting someone else’s data by impersonating them.

Proportionate verification means asking for confirmation that is commensurate with the sensitivity of the data. For a low-risk request, confirming their registered email address is usually sufficient. For a request involving sensitive or high-volume data, you may request a copy of identity documentation.

Do not use verification as a delay tactic. If verification is simple, complete it quickly.

Identify what data you hold

Search across every system that may hold data about this person. This includes:

  • Your primary database or CRM

  • Email archives (search for their name and email address)

  • Support ticketing systems

  • Marketing and analytics platforms

  • Backups (yes, including these)

  • Any third-party processors you have shared their data with

A data audit run beforehand means you already know where to look. If you have not done one, see the data audit playbook.

Prepare the response

For an access request: compile the data into a readable format. GDPR requires you to provide the categories of data, the purposes for which it is processed, any third parties it has been shared with, the source of the data if not collected directly, and the retention period.

You do not need to provide it in a particular format, but it must be accessible and clear. A compressed archive of raw database exports is not an appropriate response.

Redact any third-party personal data present in the records before disclosing: if your records include emails that were sent by other people, those people’s data is protected too.

For a deletion request: identify what can be deleted and what must be retained for legal reasons (legal obligation, ongoing contract). Delete what can be deleted. Inform the requester of what you have retained and why.

For a portability request: provide the data in a structured, commonly used, machine-readable format (CSV is acceptable; a PDF is not).

Respond formally

Send a written response within the deadline. Include:

  • Confirmation that you have received the request.

  • The data provided (for SARs) or confirmation of deletion/action taken.

  • An explanation of any data withheld and the legal basis for withholding it.

  • Information about the requester’s right to complain to a supervisory authority if they are not satisfied with the response.

Document everything

Record: the date the request was received, the identity verification performed, the data located, the response sent, and the date it was sent. This record is required if the supervisory authority later asks you to demonstrate compliance.