Skip to main content
What is a data request?
Blog

What is a data request?

By 13. June 2023May 29th, 2024No Comments

What is a data request?

A data request can be any type of formal or informal communication asking about specific information you store or control. How you respond will depend on who is making the request and the nature of the data they ask you for.

This blog is about what a GDPR data request is, what the rules are for it and how you should behave if your company receive one.

Types of data requests

Data requests can vary depending on the context and specific application, but generally, they can be categorized into the following types:

  1. Internal data requests: operational data, financial data, and personnel data
  2. External data requests: customer data, supplier data, and market data
  3. Public data requests: FOIA requests (Freedom of Information Act) and statistical data
  4. Research and academic data requests: surveys, interviews, and reports
  5. Technical data requests: log files, system data, and sensor data
  6. Data requests for data science and analysis: datasets for analysis and big data
  7. Data requests for protection and security: GDPR data requests and security data

This blog will specifically focus on GDPR data requests.

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

Read more

GDPR data requests

As mentioned earlier, companies operating in the European Union must respond to data requests about personal data. Under the provisions of the General Data Protection Regulation (GDPR), people own the rights to their own data. This means, to a large extent, that they can control what you do with it. GDPR data requests people can make include asking you to:

  1. Tell them about the information you have about them
  2. Correct or update data about them
  3. Restrict processing of their data in specific situations
  4. Stop processing their personal data for specific purposes
  5. Not subject them to automated decision-making/profiling
  6. Delete their data/forget them
  7. Transfer their data to someone else

In short, these GDPR requests give people a lot of power over their data. People can withdraw their consent for you to have their data altogether. They can restrict what you do with it, ask you to forward it to another company, and more. How should you handle these requests?

Responding to GDPR data requests

To respond to any data request that you think may fall into the category of a GDPR request, follow these 3 steps:

All data requests

  1. Assess the request. There is no required format or channel for a GDPR data request to be valid. It’s up to you to spot them and identify them as data subject access requests.
  2. Verify the identity of the requester. Before looking up and sending any personal information to a requester, make sure they are who they claim to be.
  3. Locate the requested information. Find and compile all the personal data you store that is relevant to the person and their request.

After these 3 steps, what you do next will depend on the type of request.

Access requests

  1. Prepare the requested information.
  2. Make sure it is accurate and complete.
  3. Send it back securely.

Rectification Requests

  1. Assess the validity of the request and determine if the personal data in question is inaccurate, incomplete, or requires updating.
  2. Rectify the data. Correct or update the personal data as requested and ensure that the changes are accurately reflected in all relevant systems or records.
  3. Communicate the outcome. Inform the requester of the actions taken to rectify the personal data and any relevant updates.

Erasure Requests

  1. Evaluate the request. Determine if the conditions for erasure are met (e.g., the data is no longer necessary, withdrawal of consent, unlawful processing).
  2. Assess exemptions. Consider any legal exemptions or retention obligations that may apply to the requested data.
  3. Delete or anonymise the data. If the erasure request is valid, proceed to delete or anonymise the personal data, ensuring it is no longer identifiable or traceable.
  4. Confirm erasure. Inform the requester that their personal data has been deleted or anonymised, unless any legal or practical limitations prevent complete erasure.

Objection requests

    1. Evaluate the objection. Assess the grounds on which the objection is based and review the specific processing activities in question.
    2. Balance interests. Consider your legitimate interests vs. the rights and freedoms of the individual. Determine whether the objection is valid and whether you should really stop processing the data.
    3. Communicate your decision. Inform the requester of the outcome of the objection and any actions taken as a result, providing a clear explanation of the decision.

Finally, document and maintain records of all requests you receive and the actions you take to respond to them. Those records will demonstrate compliance with your data protection obligations.

While it’s important to comply with the law as well as be transparent with your customers, investors and others; make sure you also protect your company’s interests when someone asks you for data. If in doubt, consult with professionals who understand the legal requirements in your jurisdiction. This will help you make an informed decision on what to share and what to protect.

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

Never miss a data request

Generally, the timeline to respond to data requests will be 30 days. Here are a few things you can do to make sure you never miss a request and manage all of them effectively:

  1. Establish clear procedures: First, decide how you will handle data requests. Then, create a policy that clearly outlines the steps to be taken from the initial receipt of a request to its completion.
  2. Educate your employees: Train your staff to recognise GDPR data requests. Make sure everyone understands the timeline for responding to them and knows how to do so.
  3. Designate a point of contact: For example, this could be a dedicated email inbox, a specific person, or a team. Alternatively, you can set up a request portal that receives requests for you.
  4. Create a centralised system: Set up a system to track and manage data requests. Getting special software designed for request management makes the whole process much easier. Such software can log, assign, and track the progress of each request and remind you to respond to it.
  5. Automate reminders and notifications: Use calendar reminders or your request management software to alert you when you need to process a request. Additionally, request management software can notify the requester that you have received their message and are working on it.

Finally, make sure you regularly review and update your processes and policies. Take into account things like customer and employee feedback and any changes in data protection regulations.

Data request management software

It takes an average of 30-40 hours per request to handle a data request manually. As we mentioned above, using request management software can reduce this time significantly by simplifying the whole request process from start to finish. That’s why we created RequestManager for small and medium businesses to handle data requests.

With RequestManager, you get a request portal that collects, verifies, and logs the data requests you receive. Each request shows up on your dashboard, organised by its due date. Then, SMS and email verifications help you check the requester’s identity. Meanwhile, the person automatically gets a notification that you received their request and are working on it. You get reminders to respond on time and help to collect the data and send it back securely. Finally, everything is logged to demonstrate compliance.

Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →

GUIDE

How to handle sensitive personal data

GUIDE

How to find personal data with datamapping tool

GUIDE

How to prepare for a data audit