Skip to main content

What is a data request?

A data request can be any type of formal or informal communication asking about specific information you store or control. How you respond will depend on who is making the request and the nature of the data they ask you for.

While it’s important to comply with the law as well as be transparent with your customers, investors and others; make sure you also protect your company’s interests when someone asks you for data. If in doubt, consult with professionals who understand the legal requirements in your jurisdiction. This will help you make an informed decision on what to share and what to protect.

Types of data requests

Suppose a researcher or a journalist asks you for data about your company. For instance, they may ask about your customer demographics or about products you are developing. If it is not confidential data or a trade secret, you might choose to give them the information they ask for as a courtesy, or to promote your business.

In some cases, you might disclose company data on request to further a business deal. Suppose someone is interested in investing in your company or partnering with you on a venture. They may ask you for data including business plans, financial reports, sales figures, and more. In this situation, how much information you share would be at your own discretion. You will want to strike a balance between providing sufficient information to encourage the investor and protecting sensitive or confidential information.

On the other hand, if a government agency or regulatory body asks you for information, you may be required to provide it. They might request data from you for investigations, audits, or compliance purposes. These requests can be formal, such as subpoenas or court orders, or informal, like a written request for specific data. Usually, you will comply with such requests, even if they include data you would normally keep confidential.

Finally, an individual may ask you for their own data. That is, information related to themself. Make sure you answer these requests promptly. This type of data request is called a data access request (or DSR/DSAR). Data protection laws like GDPR give people the right to access their personal data in this way. So regardless of the person’s reason for requesting access to their data, you will usually have to comply. Let’s talk more about GDPR requests and how to handle them.

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

GDPR data requests

As mentioned earlier, companies operating in the European Union must respond to data requests about personal data. Under the provisions of the General Data Protection Regulation (GDPR), people own the rights to their own data. This means, to a large extent, that they can control what you do with it. GDPR data requests people can make include asking you to:

  1. Tell them about the information you have about them
  2. Correct or update data about them
  3. Restrict processing of their data in specific situations
  4. Stop processing their personal data for specific purposes
  5. Not subject them to automated decision-making/profiling
  6. Delete their data/forget them
  7. Transfer their data to someone else

In short, these GDPR requests give people a lot of power over their data. People can withdraw their consent for you to have their data altogether. They can restrict what you do with it, ask you to forward it to another company, and more. How should you handle these requests?

Responding to GDPR data requests

To respond to any data request that you think may fall into the category of a GDPR request, follow these 3 steps:

All data requests

  1. Assess the request. There is no required format or channel for a GDPR data request to be valid. It’s up to you to spot them and identify them as data subject access requests.
  2. Verify the identity of the requester. Before looking up and sending any personal information to a requester, make sure they are who they claim to be.
  3. Locate the requested information. Find and compile all the personal data you store that is relevant to the person and their request.

After these 3 steps, what you do next will depend on the type of request.

Access requests

  1. Prepare the requested information.
  2. Make sure it is accurate and complete.
  3. Send it back securely.

Rectification Requests

  1. Assess the validity of the request and determine if the personal data in question is inaccurate, incomplete, or requires updating.
  2. Rectify the data. Correct or update the personal data as requested and ensure that the changes are accurately reflected in all relevant systems or records.
  3. Communicate the outcome. Inform the requester of the actions taken to rectify the personal data and any relevant updates.

Erasure Requests

  1. Evaluate the request. Determine if the conditions for erasure are met (e.g., the data is no longer necessary, withdrawal of consent, unlawful processing).
  2. Assess exemptions. Consider any legal exemptions or retention obligations that may apply to the requested data.
  3. Delete or anonymise the data. If the erasure request is valid, proceed to delete or anonymise the personal data, ensuring it is no longer identifiable or traceable.
  4. Confirm erasure. Inform the requester that their personal data has been deleted or anonymised, unless any legal or practical limitations prevent complete erasure.

Objection requests

    1. Evaluate the objection. Assess the grounds on which the objection is based and review the specific processing activities in question.
    2. Balance interests. Consider your legitimate interests vs. the rights and freedoms of the individual. Determine whether the objection is valid and whether you should really stop processing the data.
    3. Communicate your decision. Inform the requester of the outcome of the objection and any actions taken as a result, providing a clear explanation of the decision.

Finally, document and maintain records of all requests you receive and the actions you take to respond to them. Those records will demonstrate compliance with your data protection obligations.

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

Never miss a data request

Generally, the timeline to respond to data requests will be 30 days. Here are a few things you can do to make sure you never miss a request and manage all of them effectively:

  1. Establish clear procedures: First, decide how you will handle data requests. Then, create a policy that clearly outlines the steps to be taken from the initial receipt of a request to its completion.
  2. Educate your employees: Train your staff to recognise GDPR data requests. Make sure everyone understands the timeline for responding to them and knows how to do so.
  3. Designate a point of contact: For example, this could be a dedicated email inbox, a specific person, or a team. Alternatively, you can set up a request portal that receives requests for you.
  4. Create a centralised system: Set up a system to track and manage data requests. Getting special software designed for request management makes the whole process much easier. Such software can log, assign, and track the progress of each request and remind you to respond to it.
  5. Automate reminders and notifications: Use calendar reminders or your request management software to alert you when you need to process a request. Additionally, request management software can notify the requester that you have received their message and are working on it.

Finally, make sure you regularly review and update your processes and policies. Take into account things like customer and employee feedback and any changes in data protection regulations.

Data request management software

It takes an average of 30-40 hours per request to handle a data request manually. As we mentioned above, using request management software can reduce this time significantly by simplifying the whole request process from start to finish. That’s why we created RequestManager for small and medium businesses to handle data requests.

With RequestManager, you get a request portal that collects, verifies, and logs the data requests you receive. Each request shows up on your dashboard, organised by its due date. Then, SMS and email verifications help you check the requester’s identity. Meanwhile, the person automatically gets a notification that you received their request and are working on it. You get reminders to respond on time and help to collect the data and send it back securely. Finally, everything is logged to demonstrate compliance.

Sebastian Allerelli

Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →


How to handle sensitive personal data


How to find personal data with datamapping tool


How to prepare for a data audit