Data subject rights: access, rectification, erasure — a workable procedure

A customer wants to see their data — or have it deleted. You have 30 days. Here's the procedure that gets it done without each request eating up half a week.

GDPR gives data subjects concrete rights. You must handle a request within 30 days (extendable once by 60). Here's what you need to have in place beforehand.

The five most important rights

\n
1. Right of access: what data do you hold on me?
\n
2. Right to rectification: correct this data because it's inaccurate.
\n
3. Right to erasure: delete everything you have on me (with exceptions).
\n
4. Right to data portability: give me my data in a standard format so I can switch to another provider.
\n
5. Right to object: to specific processing activities (often marketing).
\n

What do you need in order to deliver this?

\n
• A central inbox or form where requests come in.
\n
• An identity verification procedure (don't release data without confirming who's asking).
\n
• Data mapping: where does each piece of customer data live? (Ties back to the processing register.)
\n
• An export function in your tools (CRM, accounting, ticket system).
\n
• A deletion procedure for each system, including backups.
\n

Exceptions to erasure

\n
• Statutory retention obligations (7 years for financial data).
\n
• Legal defence of ongoing cases.
\n
• Vital interests of the data subject or third parties.
\n
• Historical research in the public interest.
\n

Reporting back to the data subject

Always respond in writing within 30 days. This applies to refusals too — including your reasoning and a reference to the right to lodge a complaint with the supervisory authority.

See also: GDPR pillar, retention periods.