Responding to a legal demand for data¶
Trigger: a court order, subpoena, law enforcement request, intelligence agency request, or regulatory demand has arrived, requiring disclosure, preservation, or access to data.
Do not comply without legal review. Do not delete anything. Do not tell anyone about the demand if it carries a non-disclosure obligation, as many do.
Get legal counsel before responding¶
The scope of what has to be disclosed, the legal validity of the demand, the jurisdiction it originates from, and whether a non-disclosure order applies are all questions for a solicitor or equivalent legal adviser.
In-house legal counsel is the first call. Failing that, engage external counsel immediately. The compliance timeframe is often tight but rarely so short that legal advice cannot come first.
Do not destroy anything¶
Destroying data after a legal hold notice is contempt of court or an obstruction offence in most jurisdictions. Even data that would ordinarily be deleted under a retention policy has to be preserved once a demand arrives.
Suspend any automated deletion that might apply to data covered by the demand. Document the date the demand arrived and the date deletion was suspended.
Assess the scope¶
With legal advice, determine:
Which authority issued the demand, and does it have jurisdiction over the organisation?
What data does the demand cover, precisely?
Does it require disclosure (handing over data), preservation (keeping it but not yet disclosing), or access (allowing inspection)?
Does it contain a non-disclosure order preventing the data subject from being informed?
What is the deadline for compliance?
Demands are sometimes overbroad. Legal counsel can assess whether the scope is proportionate and, where applicable, challenge or negotiate it.
Assess notification obligations¶
In many EU jurisdictions there is an obligation to inform a data subject when their data is disclosed to third parties, unless a court order specifically prohibits it. Intelligence and national security demands frequently carry such prohibitions, often by default. A legal adviser can confirm what applies.
Where notification is permitted and required, the breach response runbook covers communication with affected individuals.
Respond within scope¶
With legal advice in hand, respond only within the scope actually required. Voluntary disclosure beyond the minimum is not obligatory and creates additional exposure.
Document what was disclosed, to whom, when, and under what authority. That record serves both the legal file and any later accountability review.
After the demand is resolved¶
Review whether the demand exposed a data-holdings gap, data held that need not have been, and update the data audit and retention policies accordingly (see the data audit playbook).
If the demand came as a surprise because the data map was incomplete, treat it as a prompt to improve visibility into what is held and where.
Last reviewed: 2026-07-08.