Every day, your personal data flows through systems you may never see—shopping histories, location logs, health records, even the way you scroll through a website. Regulations like the GDPR and CCPA have given you legal tools to control that data, but knowing how to use those tools is another matter. This guide is for anyone who wants to understand their data protection rights and put them into practice, whether you're an individual seeking to exercise your rights or a team member responsible for handling such requests.
We'll walk through the core rights, compare different approaches to managing them, and show you what works—and what often fails—in real-world situations. By the end, you'll have a clear path to take control of your personal information and ensure compliance with data protection laws.
Who Must Act and Why Now
Data protection rights aren't abstract—they apply to anyone who collects or processes personal data. If you run a business, manage a website, or even organize a community event with a sign-up sheet, you likely have obligations under laws like the GDPR (in Europe) or the CCPA (in California). For individuals, these rights mean you can ask companies what data they hold on you, request corrections, demand deletion, and even move your data to another service.
The urgency comes from several fronts. First, regulators are increasingly active: fines for non-compliance have reached millions of euros, and enforcement actions are becoming more common. Second, consumers are more aware of their rights and more willing to file complaints. A single data subject request (DSR) can trigger a chain of obligations that, if mishandled, leads to reputational damage and legal risk. Third, the legal landscape continues to evolve—new laws in Brazil, India, and several US states mean that what was acceptable last year may not be sufficient today.
For organizations, the clock is ticking. Many companies still rely on ad-hoc processes—email inboxes, spreadsheets, or manual searches—to handle DSRs. That approach worked when requests were rare, but as awareness grows, so does the volume. A well-known retail brand recently faced a class-action lawsuit after failing to respond to deletion requests within the statutory 30-day window. The cost of settling that case far exceeded the investment needed to set up a proper system.
For individuals, the window to act is always open, but the longer you wait, the more data accumulates. If you've never exercised your right to access, you might be surprised at what's stored about you—from old purchase histories to behavioral profiles built by advertisers. Starting now gives you a baseline and helps you spot errors or unauthorized uses before they cause harm.
Who This Guide Serves
This guide is written for two primary audiences. First, individuals who want to understand and exercise their data protection rights—whether to clean up old accounts, correct inaccurate information, or simply see what data companies hold. Second, professionals—compliance officers, privacy managers, developers, and business owners—who need to build or improve their organization's DSR handling process. The principles apply regardless of your role or location.
Your Rights: The Landscape of Options
Data protection laws grant several key rights, though the exact scope varies by jurisdiction. Understanding these rights is the first step in exercising them effectively. Here are the most common rights and what they mean in practice.
Right to Access
You can ask any organization to confirm whether they process your personal data and, if so, to provide a copy of that data. This is often the starting point for exercising other rights. For example, you might request all data a social media platform holds on you—posts, messages, ad preferences, location history, and inferred interests. The organization must respond within a specified timeframe (usually 30 days under GDPR) and provide the information in a commonly used electronic format.
Right to Rectification
If the data an organization holds about you is inaccurate or incomplete, you have the right to have it corrected. This is particularly important for credit reports, medical records, and employment files. A simple email or form submission is usually enough to trigger the correction process, but the organization must verify the accuracy of your claim and update their records promptly.
Right to Erasure (Right to Be Forgotten)
Under certain conditions, you can request that an organization delete your personal data. This right is not absolute—it applies when the data is no longer necessary for the original purpose, when you withdraw consent, or when the data was processed unlawfully, among other grounds. However, organizations can refuse if they need the data for legal compliance, public health, or archiving purposes. This is one of the most commonly exercised rights and also one of the most frequently mishandled.
Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller without hindrance. This is designed to give you control over your data and encourage competition among services. For example, you could ask a streaming service to export your watch history and preferences so you can import them into a competitor.
Right to Restrict Processing
In certain situations, you can request that an organization limit how they use your data. This might apply when you contest the accuracy of the data (while they verify it) or when the processing is unlawful but you don't want the data deleted. During the restriction period, the organization can only store the data—not process it—unless you consent or there are legal reasons.
Right to Object
You can object to the processing of your data for direct marketing, scientific research, or when processing is based on legitimate interests. The organization must stop processing unless they can demonstrate compelling legitimate grounds that override your interests. This right is often used to opt out of targeted advertising or profiling.
How to Choose the Right Approach for Your Situation
Not all rights apply in every context, and not every organization handles requests the same way. To exercise your rights effectively—or to build a compliant system for handling requests—you need to evaluate several factors.
Criteria for Individuals: What to Consider Before Making a Request
Before you send a data subject request, ask yourself: What is my goal? If you want to see what data a company holds, start with an access request. If you've found an error in your credit file, use rectification. If you're closing an account, request erasure. Be specific—vague requests can lead to delays or denials. Also, consider the organization's size and resources. A small business may take longer to respond, while a large tech company may have automated systems that can handle requests quickly but may also push back on broad demands.
Another criterion is the sensitivity of the data. For highly sensitive information like health records or financial data, you may want to use encryption when transmitting your request and expect the organization to verify your identity securely. For less sensitive data, a simple email might suffice.
Criteria for Organizations: How to Build a DSR Process
If you're responsible for handling DSRs, you need to decide on a process. The key criteria include volume of requests, complexity of data systems, budget, and legal requirements. A small business with a handful of customers might handle requests manually using a spreadsheet and email templates. A larger organization with multiple databases, customer portals, and third-party processors will need a more automated system—possibly a dedicated privacy management platform or a custom-built tool.
Another critical factor is verification. You must confirm the identity of the requester before acting on a DSR, especially for erasure or data portability requests. The verification process should be proportionate to the risk—requesting a copy of an ID for a simple access request may be excessive, but for a deletion request involving sensitive data, it's necessary. Overly burdensome verification can itself be a violation of the right to access.
Finally, consider the timeframe. Most regulations require a response within 30 days, with a possible extension of 60 days for complex requests. Your process must be able to track deadlines, escalate complex cases, and communicate with the requester if you need an extension.
Trade-Offs: Comparing Manual, Automated, and Hybrid Approaches
Organizations generally choose between three approaches for handling data subject requests: manual, automated, or hybrid. Each has strengths and weaknesses, and the right choice depends on your specific circumstances.
| Approach | Pros | Cons | Best For |
|---|---|---|---|
| Manual | Low initial cost; flexible; works for low volumes | Slow; error-prone; hard to scale; lacks audit trail | Small businesses with fewer than 50 DSRs per year |
| Automated | Fast; consistent; built-in tracking; reduces human error | High setup cost; requires technical integration; can be inflexible for edge cases | Large enterprises with high DSR volume and complex data systems |
| Hybrid | Balances cost and efficiency; handles most requests automatically, escalates complex ones | Requires clear rules for escalation; still needs human oversight | Mid-size companies or those with moderate DSR volume |
The trade-off is clear: manual processes are cheap to start but expensive to maintain as volume grows. Automated systems require upfront investment but pay off in accuracy and speed. Hybrid approaches offer a middle ground, but they demand careful design to ensure that edge cases don't fall through the cracks.
For individuals, the approach an organization uses affects how quickly and smoothly your request is handled. If you're dealing with a small company that uses a manual process, be patient and follow up politely. For large companies, use their official DSR portal if available—it's usually faster than emailing a generic address.
Implementation: Steps to Exercise Your Rights or Build a Process
Whether you're an individual or an organization, taking action requires a clear plan. Below are step-by-step guides for both perspectives.
For Individuals: How to Make a Data Subject Request
- Identify the right organization. Determine which company or entity holds your data. If you're unsure, start with the services you use most often—social media, email providers, banks, and retailers.
- Find the right contact. Look for a privacy policy or a dedicated DSR page on the organization's website. Many companies have an online form or a specific email address (e.g., [email protected]).
- Draft your request. Be clear and specific. For an access request, state: “I am exercising my right to access under [applicable law]. Please provide all personal data you hold about me, including any data processed by third parties on your behalf.” For erasure, specify why you believe the data should be deleted (e.g., “I withdraw consent for processing my data for marketing purposes”).
- Verify your identity. Be prepared to provide proof of identity. This could be a copy of your ID, a utility bill, or a secure verification method offered by the organization. Do not send sensitive documents via unencrypted email unless the organization provides a secure portal.
- Track your request. Note the date you sent the request and the deadline (usually 30 days). Follow up if you don't receive a response within that timeframe. If the organization fails to respond, you can file a complaint with the relevant data protection authority.
- Review the response. Check that the data provided is complete and accurate. If something is missing or incorrect, follow up with a rectification request. If you believe the organization has not complied, escalate to the regulator.
For Organizations: How to Build a DSR Handling Process
- Map your data. Know what personal data you collect, where it is stored, who has access, and how it is processed. This data map is essential for responding to DSRs quickly and accurately.
- Designate a team. Assign responsibility for DSR handling—whether it's a privacy officer, a compliance team, or a cross-functional group that includes IT, legal, and customer support.
- Create a standard operating procedure. Document the steps for receiving, verifying, and responding to each type of DSR. Include timelines, templates, and escalation paths for complex cases.
- Choose your tools. Based on your volume and complexity, select a manual, automated, or hybrid approach. For automated systems, evaluate vendors or build in-house solutions that integrate with your data map.
- Train your staff. Ensure everyone who might receive a DSR—from customer service to developers—knows how to recognize and route requests. Regular training reduces the risk of missed deadlines or mishandled data.
- Test and iterate. Run mock DSRs to test your process. Identify bottlenecks and fix them. As your organization grows, revisit your process to ensure it remains adequate.
Risks of Getting It Wrong
Failing to properly handle data protection rights carries significant risks for both individuals and organizations.
For Individuals: What Can Go Wrong
If you don't exercise your rights, you may remain unaware of how your data is being used. This can lead to privacy violations, identity theft, or discrimination based on inaccurate data. For example, an outdated credit report could prevent you from getting a loan, while incorrect health data could affect your insurance premiums. Moreover, if you fail to request deletion of old accounts, your data may be exposed in a data breach—a risk that grows as companies accumulate more data.
Another risk is that organizations may deny your request incorrectly. If you don't follow up or escalate, you may accept a denial that should have been challenged. For instance, some companies claim they cannot delete data because it's needed for “legitimate interests,” but this exception is narrower than many think. Without pushing back, you lose control of your data.
For Organizations: Compliance and Reputational Risks
Non-compliance with DSR obligations can lead to regulatory fines. Under GDPR, fines can reach up to 4% of annual global turnover or €20 million, whichever is higher. Beyond fines, regulators can issue orders to stop processing data, which can disrupt business operations. In one recent case, a major airline was fined €20 million for failing to properly handle access requests and for not having a clear process for data deletion.
Reputational damage is often more costly than fines. News of mishandled DSRs can spread quickly on social media, eroding customer trust. A survey by a major consulting firm found that over 60% of consumers would stop doing business with a company after a serious privacy incident. For startups and small businesses, losing customer trust can be fatal.
There are also operational risks. A poorly designed DSR process can lead to missed deadlines, which can trigger a cascade of complaints and regulatory scrutiny. In some cases, organizations have inadvertently disclosed one person's data while responding to another's request—a violation that itself can lead to fines and lawsuits.
Frequently Asked Questions
Can I request my data from any company, even if I'm not a customer?
Generally, yes, if the company processes your personal data. For example, if a website uses tracking cookies to collect data about your browsing behavior, you have the right to request that data even if you haven't created an account. However, the company may ask for verification to confirm you are the data subject.
How long does a company have to respond to my request?
Under GDPR, the standard response time is 30 days. For complex requests, the company can extend this by an additional 60 days, but they must inform you within the first 30 days and explain the reason for the delay. Other laws have similar timelines—CCPA requires response within 45 days, with a possible 45-day extension.
Can a company charge me for making a request?
In most cases, no. Under GDPR, responding to a DSR must be free of charge unless the request is manifestly unfounded or excessive, particularly if it is repetitive. In such cases, the company may charge a reasonable fee or refuse to act. CCPA allows a business to charge a fee only if the request is excessive or repetitive.
What should I do if a company denies my request?
First, ask for the specific legal basis for the denial. If you believe the denial is unjustified, you can escalate by filing a complaint with the data protection authority in your jurisdiction. For example, in Europe, you would contact the supervisory authority of your country. In the US, the Federal Trade Commission (FTC) handles some privacy complaints, though state-level agencies may also be relevant.
Do I have to provide identification for every request?
Yes, the organization must verify your identity to prevent unauthorized access to someone else's data. However, the verification should be proportionate. For a simple access request, a name and email address might suffice. For a deletion request involving sensitive data, they may require a copy of your ID. If the verification request seems excessive, you can challenge it.
Can I request data in a specific format?
For data portability requests, you have the right to receive the data in a structured, commonly used, machine-readable format (like CSV or JSON). For access requests, the format should be understandable—often a PDF or a readable file. If the company offers a specific format, you can request an alternative if it's reasonable.
What happens if a company ignores my request?
If a company fails to respond within the statutory timeframe, you can file a complaint with the data protection authority. The regulator can investigate and impose fines. In some jurisdictions, you may also have the right to sue the company for damages. Document all communications and keep a record of your request.
Do data protection rights apply to deceased persons?
Generally, no. Data protection laws like GDPR apply only to living individuals. However, some countries have specific laws regarding the data of deceased persons, and you may need to check local regulations. In practice, many companies will delete or restrict access to a deceased person's data upon request from a family member, but they are not legally obligated under data protection law.
Comments (0)
Please sign in to post a comment.
Don't have an account? Create one
No comments yet. Be the first to comment!