GDPR Data Subject Rights: A Practical Guide for Organizations
Understand and implement the eight GDPR data subject rights, from access requests to portability, with practical guidance on response procedures and common challenges.
The Foundation of GDPR Compliance
Data subject rights are the heart of the GDPR. While organizations often focus on consent management and data protection policies, the ability to effectively respond to data subject requests is where compliance meets reality. When someone asks for access to their data or requests erasure, you have one month to respond—and the clock is ticking.
This guide covers the practical aspects of handling data subject requests, from receiving requests through fulfillment and documentation.
The Eight Rights at a Glance
GDPR grants individuals eight core rights over their personal data:
| Right | Article | Summary | |-------|---------|---------| | To be informed | 13-14 | Know how their data is used | | Of access | 15 | Obtain their data and processing information | | To rectification | 16 | Correct inaccurate data | | To erasure | 17 | Have data deleted ("right to be forgotten") | | To restrict processing | 18 | Limit how data is used | | To data portability | 20 | Receive data in portable format | | To object | 21 | Stop certain processing activities | | Related to automated decision-making | 22 | Human review of significant automated decisions |
Receiving and Recognizing Requests
How Requests Arrive
Data subjects can make requests through any channel: - Email (any address, not just dedicated channels) - Phone calls - Social media messages - In-person requests - Letters
Critical point: You must act on valid requests regardless of how they're received. "We only accept requests through our privacy form" is not a valid limitation.
Recognizing Requests
Train staff to recognize requests that may not use formal language:
Formal: "I am exercising my right of access under GDPR Article 15."
Informal: "Can you tell me what information you have about me?"
Indirect: "I want to close my account and have everything deleted."
All of these are valid requests requiring action.
The Response Timeline
Standard Timeline
- Response deadline: One month from receipt - Extension: Up to two additional months for complex requests - Extension notification: Must inform requester within one month
When Does the Clock Start?
The month begins when you receive the request—not when you: - Verify the requester's identity - Assign the request internally - Understand what's being asked
Exception: If you need to clarify the request, the clock pauses until clarification is received.
Managing Extensions
If extending the deadline: 1. Notify the requester within the original one-month period 2. Explain why the extension is necessary 3. Inform them of complaint rights
Identity Verification
Before disclosing personal data, verify the requester is who they claim to be.
Verification Approaches
For existing customers/users: - Request from verified account/email - Knowledge-based verification (account details) - Two-factor authentication
For unknown requesters: - Copy of government ID - Verification questions - Request from known address
Proportionality
Verification should be proportionate to: - The sensitivity of the data - The risk of disclosure to wrong party - The existing relationship
Don't demand passport copies for routine low-risk requests.
What If You Can't Verify?
- Explain what verification you need - Timeline pauses until verification received - If unable to verify, you may refuse—but document the reasoning
Handling Specific Rights
Right of Access (Most Common)
What to provide: - Confirmation that you process their data - Copy of the personal data - Information about processing (purposes, categories, recipients, retention, rights, source)
Format: - Electronic format for electronic requests - Commonly used, machine-readable format preferred - First copy free; reasonable fee for additional copies
Practical tips: - Create standard data export functionality - Prepare template covering information requirements - Redact third-party personal data
Right to Erasure
When applicable: - Data no longer needed for original purpose - Consent withdrawn - Successful objection to processing - Unlawful processing - Legal obligation to erase
When you can refuse: - Legal obligation to retain - Legal claims defense - Public health purposes - Archiving in public interest - Freedom of expression
Practical implementation: - Delete from primary systems - Remove from backups (or restrict access if deletion impractical) - Notify processors and third parties - Document what was deleted and when
Right to Portability
Applies when: - Processing based on consent or contract - AND processing is automated
What to provide: - Data provided BY the data subject - Data observed about the data subject - In structured, commonly used, machine-readable format (JSON, CSV, XML)
What's excluded: - Inferred or derived data - Data created by your analysis
Right to Object
Two types:
General objection: Processing under legitimate interests or public task - You must stop unless you can demonstrate compelling legitimate grounds that override the individual's rights
Direct marketing objection: Absolute right - Must stop processing for direct marketing upon request - No balancing test required
Common Challenges and Solutions
Vague or Broad Requests
"Send me all my data"
Response approach: - Clarify what specific information they want - Explain what data you hold and ask which they want - Provide overview first, offer details on request
Excessive Requests
If requests are "manifestly unfounded or excessive," you may: - Charge a reasonable fee, or - Refuse to act
But: Document your reasoning. The bar for "excessive" is high.
Third-Party Data
When requested data includes others' personal data: - Redact third-party data before disclosure - Consider whether disclosure would adversely affect others - Don't use this as a reason to refuse entirely
Backups and Archives
For erasure requests: - Delete from live systems immediately - For backups: either delete, or ensure data won't be restored and will be erased at next backup cycle - Document your approach
Building Your DSR Process
Essential Components
1. Intake mechanism: How requests are received and logged 2. Triage: Categorize request type and assess complexity 3. Verification: Confirm identity appropriately 4. Assignment: Route to responsible team/person 5. Data gathering: Collect data from relevant systems 6. Review: Ensure completeness and redact as needed 7. Response: Provide response within deadline 8. Documentation: Record what was done and when
Documentation Requirements
For every request, document: - Date received - Requester identity verification - Request type(s) - Actions taken - Date of response - If refused: reasoning
Tools and Automation
Consider: - Ticketing system for request tracking - Data inventory mapped to systems - Automated data export where possible - Template responses - Dashboard for deadline monitoring
What Happens If You Get It Wrong
Supervisory Authority Complaints
Data subjects can complain to supervisory authorities if: - Request not actioned - Response delayed without justification - Response incomplete or incorrect
Potential Consequences
- Investigation by supervisory authority - Orders to comply - Administrative fines - Reputation damage - Private legal claims
Related Resources
- [GDPR Data Subject Rights](/kb/gdpr-data-subject-rights) - [GDPR Legal Basis for Processing Personal Data](/kb/gdpr-legal-basis-for-processing-personal-data) - [GDPR Data Protection Officer (DPO) Requirements](/kb/gdpr-data-protection-officer-dpo-requirements)
This article provides general guidance on GDPR data subject rights. Consult with qualified legal counsel for advice specific to your organization and jurisdiction.
Ready to Transform Your Compliance Practice?
See how GRCTrack can streamline your assessments, improve client collaboration, and reduce time-to-completion.