You've got your Privacy Policy, and you're fully compliant with data protection legislation. But part of your duties involve being ready to handle the following requests:
- Access to data
- Requests for deletion (sometimes known as the "right to be forgotten"
- Portability requests (receive a copy of their personal data to transfer to another party)
Whether you're a startup in California or an eCommerce shop in the UK, data privacy legislation requires that even the smallest of businesses respond to requests from users to access, delete, and port their data. And no, you don't need an in-house legal or IT team to handle these requests compliantly.
In this guide, we'll walk you through the practical steps any small business can take to fulfill data subject requests with minimal fuss and full compliance.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. Terms You Need to Know to Handle Data Subject Requests
- 1.1. Data Subject Requests (DSRs)
- 1.2. Data Subject Access Request (DSAR)
- 2. How to Prepare to Handle Data Subject Requests
- 2.1. Step 1: Know what data you collect
- 2.2. Step 2: Make it easy for users to submit DSRs
- 2.3. Step 3: Verify the user's identity
- 2.4. Step 4: Respond within the required time limits
- 2.5. Step 5: Locate and validate the requested data
- 2.6. Step 6: Protect your business by seeking legal advice
- 2.7. Step 7: Prepare the data for sharing
- 2.8. Step 8: Understanding deletion requests
- 2.9. Step 9: Respond to the request
- 2.10. Step 10: Record the Process
- 3. Refine Your Processes
- 4. Summary
Terms You Need to Know to Handle Data Subject Requests
Data privacy laws use several legal terms that it's useful to understand before you handle data subject requests. Here are three key terms every business owner needs to get familiar with:
- Data subject: The person whose data you have collected, stored, and processed.
- Data controller: Any person or entity that collects and processes user data. So, in terms of this discussion, your business is the data controller.
- Data subject rights: The data privacy rights a data subject has over their personal data. This includes the right to access, delete, and port their data (move it from one data controller to another).
Users' rights to access, delete, modify, and port their data vary depending on the data protection legislation in place. Let's examine two key terms and how they vary under different data protection laws.
Data Subject Requests (DSRs)
A data subject request (DSR) refers to any request from a user to view, change, or delete the personal data your business holds about them. It is an umbrella term that can cover many types of specific requests, including data subject access requests (DSARs) discussed below.
The CCPA/CPRA (which covers California) and the CTDPA (which applies to Connecticut) give users the right to make these requests.
For example, under California's CCPA/CPRA, any customer could use a "verifiable consumer request," often called a DSR, to exercise the following rights:
- Right to access personal data collected on them
- Right to know if their data is being sold or shared with third parties
- Right to prohibit their data from being shared or sold
- Right to ask for data to be deleted
- Right to modify or correct data you hold on them
- Right to restrict how personal data is used
Under these laws, businesses are required to fulfill users' requests. Failure to do so can result in significant fines, as well as negative publicity and a loss of user confidence. As the European Commission explains below, failing to follow through on DSRs could result in a warning at best and a jaw-dropping fine at worst.
Data Subject Access Request (DSAR)
A data subject access request (DSAR) is a specific type of DSR. This term is most commonly used by the GDPR, which applies to many European countries and the UK. As shown below, Article 15 of the GDPR outlines the wide-ranging rights of access users have under this law. Requests under Article 15 are often called DSARs.
Article 20 of the GDPR enshrines data portability requests--the right to transmit data to another data controller. It includes an additional requirement that data be provided in a "structured, commonly used, and machine-readable format," which often means a CSV file or the developer-friendly JSON format.
California's CCPA also includes a similar, but less detailed clause, ensuring ease of portability for users between different companies:
Consider a simple table summarizing legal timeframes and verification rules when it comes to DSAR requests:
| Law | Rights Covered | Response Deadline | ID Verification Required? |
| GDPR | Access, Deletion, Portability | 30 days | Yes |
| CCPA/CPRA | Access, Deletion, Opt-Out | 45 days (+45 ext.) | Yes |
| PIPEDA | Access, Correction | 30 days | Yes |
How to Prepare to Handle Data Subject Requests
Whether you receive a DSR or a DSAR, your business needs to take speedy action to fulfil the request and avoid legal complications. The following steps can help you put systems in place that make compliance a breeze.
Step 1: Know what data you collect
Data minimization - collecting as little data as possible to fulfill your needs - is at the heart of all data privacy laws. However, in order to fulfill DSRs, you need to know what data you have and where it is stored.
This could include:
- Personal information on your system, such as names, email addresses, billing information, and order history.
- Data accessed by third-party analytics tools, such as Google Analytics.
- Data stored on customer relationship management (CRM) systems.
- Data stored on the cloud or on website databases
Create a simple spreadsheet to keep track of data types, secure storage locations, the purpose of collection, and the retention period. This can help you easily access all the data you have collected and use it to fulfill the user's request.
Step 2: Make it easy for users to submit DSRs
You don't need to set up an IT department to handle DSRs. All you need is an easy way for customers to contact you to request to access, delete, or port their data.
As shown below in the GDPR-compliant example of the UK hardware store Screwfix, this can be as simple as including the following in your Privacy Policy:
- An online form (a dedicated email address does the same job)
- A phone number and
- A physical address to write to
It shows:
Some data privacy laws require businesses to provide at least two ways of submitting requests to know and the right to delete requests. For example, California's CCPA (shown below) requires a toll-free number users can call to make requests, plus another approved contact method.
Step 3: Verify the user's identity
To start actioning a request to access, delete, or port user data, you need to appoint a data protection lead. In a small business, simply nominate a staff member who will see requests through from beginning to end.
Before fulfilling a data access request, it's vital to verify that the person making the request is who they say they are and that they are authorized to make the request. This is a requirement under all major data privacy laws, including the GDPR and CCPA. Failure to carry out this step could cause a data breach-sharing information with someone who is not entitled to access it.
Some methods of verifying user identity include:
- Asking the user questions about the PII you hold
- Using login credentials
- Multi-factor authentication, including sending a one-time passcode
Zapier, an automation platform, keeps it simple. In its Privacy Policy, it explains that you may need to submit a request through your account. A clear, unambiguous statement about identity verification in your Privacy Policy lets your customers know what to expect when they make a request.
Data privacy laws require you to deny the request if you cannot verify the user's identity. Instead, as the CCPA explains, you can direct the user to your Privacy Policy, so they can understand how their data is processed.
Step 4: Respond within the required time limits
Most data privacy laws require companies to respond to data access requests within a specific timeframe. For example:
- GDPR: Within 30 days
- CCPA: Generally, within 45 days, but can be extended by 45 days after informing the user
- Other US state laws: Typically, within 45 days
- PIPEDA: Within 30 days
The relatively short timeframes allowed by data protection laws highlight the importance of being ready to act on requests from day one. Clear and prompt communication is key-even if you're having difficulty fulfilling the request. Always acknowledge requests as soon as you receive them and keep the user updated on the progress of their request.
Step 5: Locate and validate the requested data
Once you have verified the identity of the requester and are sure they are authorized, now is the time to double-check what they are actually asking for. Now's the time to cross the i's and dot the t's to ensure you fill the request correctly.
Trawl your records to find all the data that relates to them. Work through the checklist in step 1 and bring together all relevant data.
Step 6: Protect your business by seeking legal advice
Complex DSRs require a greater level of care. They may include data concerning children, health, or international data transfers.
Small businesses that do not have a legal department or a dedicated Data Protection Officer (DPO) should consider seeking legal advice when faced with a complex request. This extra step can help you avoid unnecessary risk and ensure you do not breach data protection regulations.
Step 7: Prepare the data for sharing
Once you are sure you have the right data and are able to share it, consider how the user will receive it. The data you share should be in a user-friendly format. Common file types include PDFs, Excel sheets, and CSV files. As mentioned earlier, this is a requirement in GDPR data portability requests.
You should include:
- The categories of personal data you hold
- The specific data
- How you obtained the data
- The purpose for which the data was obtained and processed
- Any third parties with whom the data has been shared
- The retention period of the data
It is crucial that you check the data being supplied to the user only contains their personal information. Sharing information about any other user or person would be considered a data breach. Therefore, redact all information that does not relate to the person making the request.
Also, if the person is likely to be able to guess the identity of the people identified by the redacted information, you have another decision to make. It may be a good idea to consider getting the consent of the other parties before providing the data to the requester.
Step 8: Understanding deletion requests
Deletion requests - often called the "right to be forgotten" - may sound simple, but there are exceptions you must consider. Most data privacy laws acknowledge that businesses must retain certain information for good reasons.
Possible legitimate reasons to retain data include:
- Legal obligations: In many jurisdictions, tax records must be retained for a certain number of years.
- Security: Logs must be retained to detect fraud.
- Contract performance: If you are continuing to provide a requested service, you may need some personal information to carry it out.
Users' rights vary depending on the data privacy law under which they are making their request. As GDPR.EU explains below, there are seven valid reasons under the GDPR why a request for deletion may be denied:
That said, many right-to-be-forgotten requests can be actioned.
Step 9: Respond to the request
Once you have completed all the necessary checks, you are ready to respond to the request for access, deletion, or porting of personal data.
Use clear, respectful language in your response. Confirm the information that could be provided or deleted, and what could not be and why. Send the data in a structured, machine-readable, and secure format. If there were any delays in processing the request, include a justification, mentioning the applicable legal basis.
Whenever you send a confirmation of deletion or send data in an access or porting request, enclose a copy of your Privacy Policy. It will give the user clarity on how you use their data and how they can make further data access requests.
Step 10: Record the Process
Finally, keep a record of the steps you took to fulfil the DSR. This can help in the following ways:
- Accountability: Evidence how you respond to data access, deletion, and portability requests if a regulator audits you or a dispute arises.
- Efficiency: If the same user contacts you again or you receive a similar request, it will be easier to follow through.
Refine Your Processes
As time goes by and you receive more requests to access, delete, and port user data, it's good to review your processes. Data privacy laws are continually updated, and new ones are emerging. Scheduling regular reviews and updating your procedures and Privacy Policy can help you remain compliant and build customer confidence.
Summary
Your small business needs to be ready from the outset to handle data subject requests, even if you do not have a legal or IT team. To comply with the GDPR, CCPA, PIPEDA, and other laws, you need to verify identities, respond promptly, prepare the data in a useful format that protects the data of other people, and deliver the data securely.
The key is to follow a structured process like the one above, keep accurate records, and use the right tools. Regular process reviews will help you remain compliant as data privacy laws evolve. You'll be able to keep your customers happy while protecting your business.
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.