Skip to main content
How should you respond to a data request?
Blog

How should you respond to a data request?

By 13. June 2023June 23rd, 2025No Comments

The short answer: When you receive a data request, you must respond quickly and in a structured manner. First, acknowledge receipt and make sure the requester is who they claim to be. Then, identify and deliver the relevant personal data – securely and within 30 days. This requires a clear overview of your data, defined procedures, and the ability to document the entire process.

What is a data request?

A data request can be any formal or informal enquiry about specific information you store. How you should respond depends on who is making the request and the nature of the data being requested.

This blog explains what a GDPR data request is, what the legal rules are, and how your organisation should handle such a request.

Did you know that data leaks that include personal data lead to customer loss and impact on business sustainability?

Ponemon Institute

Types of data requests

Data requests can vary depending on the context and specific application, but generally, they can be categorized into the following types:

  1. Internal data requests: operational data, financial data, and personnel data
  2. External data requests: customer data, supplier data, and market data
  3. Public data requests: FOIA requests (Freedom of Information Act) and statistical data
  4. Research and academic data requests: surveys, interviews, and reports
  5. Technical data requests: log files, system data, and sensor data
  6. Data requests for data science and analysis: datasets for analysis and big data
  7. Data requests for protection and security: GDPR data requests and security data

This blog will specifically focus on GDPR data requests.

Stop the GDPR monster before it gets its hold of your personal data

Learn more about the GDPR Risk Assessment

GDPR data requests

As mentioned earlier, companies operating in the European Union must respond to data requests about personal data. Under the provisions of the General Data Protection Regulation (GDPR), people own the rights to their own data. This means, to a large extent, that they can control what you do with it. GDPR data requests people can make include asking you to:

  1. Tell them about the information you have about them
  2. Correct or update data about them
  3. Restrict processing of their data in specific situations
  4. Stop processing their personal data for specific purposes
  5. Not subject them to automated decision-making/profiling
  6. Delete their data/forget them
  7. Transfer their data to someone else

In short, these GDPR requests give people a lot of power over their data. People can withdraw their consent for you to have their data altogether. They can restrict what you do with it, ask you to forward it to another company, and more. How should you handle these requests?

Responding to GDPR data requests

To respond to any data request that you think may fall into the category of a GDPR request, follow these 3 steps:

All data requests

  1. Assess the request. There is no required format or channel for a GDPR data request to be valid. It’s up to you to spot them and identify them as data subject access requests.
  2. Verify the identity of the requester. Before looking up and sending any personal information to a requester, make sure they are who they claim to be.
  3. Locate the requested information. Find and compile all the personal data you store that is relevant to the person and their request.

After these 3 steps, what you do next will depend on the type of request.

Access requests

  1. Prepare the requested information.
  2. Make sure it is accurate and complete.
  3. Send it back securely.

Rectification Requests

  1. Assess the validity of the request and determine if the personal data in question is inaccurate, incomplete, or requires updating.
  2. Rectify the data. Correct or update the personal data as requested and ensure that the changes are accurately reflected in all relevant systems or records.
  3. Communicate the outcome. Inform the requester of the actions taken to rectify the personal data and any relevant updates.

Erasure Requests

  1. Evaluate the request. Determine if the conditions for erasure are met (e.g., the data is no longer necessary, withdrawal of consent, unlawful processing).
  2. Assess exemptions. Consider any legal exemptions or retention obligations that may apply to the requested data.
  3. Delete or anonymise the data. If the erasure request is valid, proceed to delete or anonymise the personal data, ensuring it is no longer identifiable or traceable.
  4. Confirm erasure. Inform the requester that their personal data has been deleted or anonymised, unless any legal or practical limitations prevent complete erasure.

Objection requests

    1. Evaluate the objection. Assess the grounds on which the objection is based and review the specific processing activities in question.
    2. Balance interests. Consider your legitimate interests vs. the rights and freedoms of the individual. Determine whether the objection is valid and whether you should really stop processing the data.
    3. Communicate your decision. Inform the requester of the outcome of the objection and any actions taken as a result, providing a clear explanation of the decision.

Finally, document and maintain records of all requests you receive and the actions you take to respond to them. Those records will demonstrate compliance with your data protection obligations.

While it’s important to comply with the law as well as be transparent with your customers, investors and others; make sure you also protect your company’s interests when someone asks you for data. If in doubt, consult with professionals who understand the legal requirements in your jurisdiction. This will help you make an informed decision on what to share and what to protect.

Need help managing personal data?

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

Never miss a data request

Generally, the timeline to respond to data requests will be 30 days. Here are a few things you can do to make sure you never miss a request and manage all of them effectively:

  1. Establish clear procedures: First, decide how you will handle data requests. Then, create a policy that clearly outlines the steps to be taken from the initial receipt of a request to its completion.
  2. Educate your employees: Train your staff to recognise GDPR data requests. Make sure everyone understands the timeline for responding to them and knows how to do so.
  3. Designate a point of contact: For example, this could be a dedicated email inbox, a specific person, or a team. Alternatively, you can set up a request portal that receives requests for you.
  4. Create a centralised system: Set up a system to track and manage data requests. Getting special software designed for request management makes the whole process much easier. Such software can log, assign, and track the progress of each request and remind you to respond to it.
  5. Automate reminders and notifications: Use calendar reminders or your request management software to alert you when you need to process a request. Additionally, request management software can notify the requester that you have received their message and are working on it.

Finally, make sure you regularly review and update your processes and policies. Take into account things like customer and employee feedback and any changes in data protection regulations.

Need help responding to data requests?

To demonstrate compliance, you must not only respond to data subject requests in a timely and complete manner – you must also document every step of the process. At Safe Online, we’ve developed RequestManager to help you manage data requests efficiently. RequestManager provides a dedicated request portal that collects, verifies, and logs all incoming data requests. Each request appears on your dashboard, organised by its deadline. SMS and email confirmations help you verify the identity of the requester. You’ll also receive reminders to respond on time and support in collecting and securely returning the relevant data.

Explore RequestManager

Learn more

Sebastian Allerelli
Founder & COO at Safe Online

Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.

Follow Sebastian on LinkedIn to get tips on GDPR →

GUIDE

How to handle sensitive personal data

BLOG

How to find personal data with datamapping tool

GUIDE

How to prepare for a data audit