Does a data subject request have to be in writing?

No. A request can come in any form - email, phone call, social media message, letter, or even verbally. If someone asks you to delete their data during a phone call, that is a valid request.

Who should be the contact point for data subject requests?

Ideally one person or a dedicated email address (such as privacy@yourcompany.com). This avoids requests getting lost in a general inbox. Make sure at least one backup person knows the process.

What if we receive a request in a language we do not speak?

You are expected to handle requests from your data subjects. If you serve customers in multiple countries, you should be able to process requests in the languages you operate in. Use translation tools if needed, but do not ignore the request.

Do we need special software to manage data subject requests?

No. A spreadsheet or simple register works fine for most SMEs. What matters is that you have a consistent process and that every request is tracked from receipt to completion.

How to Set Up a Data Subject Request Process | GDPR Guide

A step-by-step guide to building a reliable process for handling GDPR data subject requests. From designating a contact point to documenting every step, this article covers everything an SME needs to handle requests correctly and on time.

Why you need a process

Most SMEs handle their first data subject request in a panic. Someone emails asking “what data do you have about me?” and nobody knows who should respond, what to check, or when the deadline is. That is how mistakes happen, and mistakes lead to complaints and fines.

A clear, written process prevents this. It does not need to be complicated. Nine steps, a shared register, and a few templates are enough.

Step 1: Designate a contact point

Choose one person or one email address that receives all data subject requests. This could be privacy@yourcompany.com, your office manager, or yourself if you are a small team.

The key rule: requests must not arrive in a general inbox where they get buried. Everyone in your organisation should know where to forward a request the moment it comes in.

Make sure there is a backup. If the contact person is on holiday, someone else must check for incoming requests.

Step 2: Recognise a request

A data subject request does not come on a special form. It can arrive through any channel:

Email - “Please send me all data you have about me”
Phone - “I want my account deleted”
Social media - a direct message asking to stop processing their data
Letter - a formal written request
Verbally - during a meeting or at your front desk

Any variation of “what data do you have?”, “delete my data”, “stop processing my information”, or “correct my details” counts as a formal request under the GDPR. Train your team to recognise these and escalate immediately.

Step 3: Register immediately

The moment a request comes in, log it in your request register. Record:

Who is making the request (name, contact details)
When you received it (this is when the clock starts)
Through which channel it arrived
What type of request it is (access, erasure, rectification, restriction, portability, objection)
Deadline (one month from receipt)

description

Template: Request Register

Track every request in a central register: who, when, what type, deadline, and outcome.

View the template arrow_forward

Step 4: Verify identity

Before you act on a request, you must confirm you are dealing with the right person. Giving data to the wrong person is a data breach.

Apply proportionate verification:

Situation	Verification method
Known customer with an account	Ask them to confirm via their account or known email
Known employee or contact	Confirmation from their known email address is sufficient
Unknown person	Ask for a copy of ID, with photo and national ID number redacted

Never ask for more identification than necessary. A full passport copy for a newsletter unsubscribe is disproportionate.

description

Template: Identity Verification

A standard letter asking the requester to confirm their identity in a proportionate way.

View the template arrow_forward

Step 5: Assess the request

Determine which right is being invoked and whether you can comply:

Which right? Access, erasure, rectification, restriction, portability, or objection?
Can you fully comply? In most cases, yes.
Are there grounds for (partial) refusal? Legal retention obligations, rights of others, manifestly excessive requests?
Partial compliance? You may need to delete some data while retaining other data you are legally required to keep.

If you need to refuse, you must explain why and inform the requester of their right to complain to the supervisory authority.

Step 6: Set deadline reminders

You have one month from the date of receipt. Not from verification, not from when you started working on it - from receipt.

Set two reminders:

At two weeks - check progress. Is identity verified? Have you started collecting data?
At three weeks - the response should be nearly ready. If it is not, consider whether you need an extension.

If the request is complex, you may extend the deadline by two months. But you must inform the requester of this extension within the first month, explaining why.

Step 7: Respond

Always respond in writing, even if the request came in by phone. Your response should clearly explain:

What you did - which data you provided, corrected, or deleted
Why - the legal basis for your actions (or your reason for refusal)
Their rights - the right to complain to the supervisory authority

Use response templates to ensure you cover all mandatory elements:

description

Template: DSAR Confirmation

A ready-to-use response template for access requests that includes all mandatory information elements.

View the template arrow_forward

For other request types, use the appropriate template: deletion confirmation, deletion refusal, or rectification confirmation. Each template ensures you include the legally required information.

Step 8: Document everything

Your file for each request should contain:

The original request (or a summary if it was verbal)
Identity verification records
Your internal notes on which systems were searched
The response you sent
Dates of every step

This is your evidence if the data subject complains to the supervisory authority. Without documentation, it is your word against theirs.

Step 9: Set up an escalation path

Not every request is straightforward. Define in advance:

Who decides on refusals? The contact person should not refuse requests alone.
When to consult a lawyer? If a request involves complex legal retention, competing rights, or potential litigation.
When to contact your DPO? If you have a Data Protection Officer, they should be involved in non-routine cases.
What if you are unsure about the request type? When in doubt, treat it as a valid request and seek advice.

Write this escalation path down. When a difficult request comes in at 4 PM on a Friday, you do not want to figure this out under pressure.

Putting it all together

Your process fits on one page:

Request comes in - forward to contact point
Register in the request register
Verify identity
Assess the request
Collect data or take action
Prepare response using template
Send response within one month
Document everything
Close the case in the register

Print this out, share it with your team, and walk through it once. The first real request will go smoothly.

auto_awesome Be prepared for requests

GDPRWise helps you set up your request process and generates the templates you need to respond correctly.

Start your free scan