How to Handle Data Subject Access and Deletion Requests

If someone asks to see the data you hold on them, or asks you to delete it, you have a legal clock running from the moment the request arrives. We handle these for clients as a fractional DPO and the same few things trip teams up every time. Here's the actual process, start to finish.

What counts as a request, and why you can't ignore one

A valid request doesn't need a form, a specific wording, or to be sent to the right inbox. Someone can ask in an email, a chat message, a phone call, or a tweet, to anyone at your company, and it still counts. Under the GDPR and UK GDPR, people have the right to access their personal data (Article 15) and, in many cases, the right to have it erased (Article 17). If you miss or ignore one, the person can complain to the supervisory authority, and "we didn't see it" is not a defence. The first practical step is making sure your team can recognise one when it lands.

Step 1. Recognise and log it

The day the request arrives is day zero. Log the date, who made it, and what they're asking for. You have one month to respond. In practice the biggest failures I see aren't bad responses, they're requests that sat in a shared inbox for three weeks before anyone realised what they were.

Step 2. Verify who's asking

You're allowed to confirm the person is who they say they are before handing over their data, and you should. If you have reasonable doubts, you can ask for enough information to confirm their identity, and the one month clock pauses until they provide it. Don't over-ask, requesting a passport for a simple request is itself a problem. Ask for what's proportionate.

Step 3. Scope what they actually want

An access request is for the person's own personal data, not a general document dump of everything that mentions them. If the request is broad or vague, you can ask them to narrow it, for example to a specific time period or system. This is reasonable and often helps both sides, but it doesn't reset the clock unless you're genuinely waiting on them to clarify.

Step 4. Find the data (the hard part)

This is where the real work is, and where tools and teams underestimate the effort. The data lives in more places than anyone expects: your main app, CRM, support tickets, email, analytics, backups, third-party processors. You can only fulfil a request properly if you know where personal data sits, which is why a current data map is the single most useful thing to have before a request ever arrives. Build it once, save yourself the scramble every time.

Step 5. Decide what you can withhold or refuse to delete

Deletion is not absolute. You can refuse to erase data you still need for a legal obligation, or to establish, exercise, or defend a legal claim, among other grounds. On access requests, you also have to protect other people, if a record contains someone else's personal data, you redact or remove it before disclosing. This is the judgment part. Getting it wrong in either direction, over-disclosing or wrongly refusing, is where the risk sits.

Step 6, Respond before the deadline

Respond within one month of receiving the request. You can extend by up to two further months if it's genuinely complex or you've received several from the same person, but you have to tell them about the extension, and why, within that first month. For access requests made electronically, provide the data in a commonly used electronic format unless they ask otherwise. Keep the response clear and plain, not a legalistic wall.

Step 7. Keep a record

Log what you received, how you verified identity, what you disclosed or deleted, what you withheld and on what grounds, and the date you responded. If a complaint ever comes, this record is what shows you handled it properly. Accountability isn't just doing it right, it's being able to demonstrate you did.

The mistakes we see most

Treating only requests sent to a "privacy@" address as valid. Asking for far more ID than the request warrants. Forgetting backups and third-party processors when locating data. Deleting things you were legally required to keep. And the most common one, missing the deadline simply because nobody flagged the request in time. Most of these are process problems, not legal ones.

Background: Written by Julian Gage, Data Protection Officer at Engage Compliance. We run access and deletion requests end to end for Seed to Series C tech companies. If handling these is pulling your team off real work, here's how we can help (or see our outsourced DPO services).