Data Subject Rights Implementation Guide

This guide provides practical, step-by-step instructions for implementing processes to handle data subject rights requests. Whether you're subject to GDPR, CCPA, CPRA, or state privacy laws, users have rights to access, delete, correct, and port their personal data. This guide shows you how to build and operate a system to honor these rights.

Table of Contents

• Overview of Data Subject Rights
• Setting Up Request Intake
• Identity Verification
• Access Requests (Right to Know)
• Deletion Requests (Right to Delete)
• Correction Requests (Right to Rectify)
• Portability Requests
• Opt-Out Requests
• Response Timelines and Extensions
• Documentation and Record-Keeping
• Common Challenges and Solutions
• Implementation Checklist
• Related Documentation

---

Overview of Data Subject Rights

What Are Data Subject Rights?

Data subject rights are legal entitlements that give individuals control over their personal information. Different regulations grant similar but slightly different rights:

Common Rights Across Regulations:

• Right to Access: Users can request a copy of their personal data
• Right to Delete: Users can request deletion of their personal data
• Right to Correct: Users can request correction of inaccurate data
• Right to Opt-Out: Users can opt out of data sales/sharing (CCPA/CPRA)
• Right to Portability: Users can request their data in a portable format (GDPR)

Regulatory Requirements

Regulation	Access	Delete	Correct	Opt-Out	Portability	Response Time
GDPR	✅	✅	✅	N/A	✅	30 days (can extend to 60)
CCPA/CPRA	✅	✅	✅	✅	Limited	45 days (can extend to 90)
VCDPA	✅	✅	✅	✅	Limited	45 days
CTDPA	✅	✅	✅	✅	Limited	45 days

Key Points:

• Most regulations require response within 30-45 days
• Extensions are possible but must be communicated to the requester
• You cannot charge fees for most requests (except excessive/repetitive requests under GDPR)
• You must verify the identity of the requester before processing

---

Setting Up Request Intake

Option 1: Dedicated Email Address (Simplest)

Setup:

1. Create dedicated email: privacy@yourcompany.com or datarequests@yourcompany.com
2. Set up email forwarding to privacy team
3. Use email filters to categorize requests
4. Create email templates for acknowledgments

Pros:

• Quick to implement
• Low cost
• Easy for users

Cons:

• Manual tracking required
• Risk of requests getting lost
• Difficult to scale

Best For: Small organizations, low request volume

Option 2: Web Form (Recommended)

Setup:

1. Create web form on your website (e.g., /privacy/request)
2. Include fields for:
   • Request type (access, deletion, correction, etc.)
   • Name
   • Email address
   • Description of request
   • Identity verification information
3. Store submissions in database or ticketing system
4. Send automated acknowledgment email

Pros:

• Better organization and tracking
• Can integrate with ticketing systems
• Easier to verify identity upfront
• Scalable

Cons:

• Requires development resources
• May need maintenance

Best For: Most organizations, medium to high request volume

Option 3: Privacy Portal (Advanced)

Setup:

1. Build or purchase privacy portal solution
2. Users create accounts and submit requests
3. Track request status in real-time
4. Automated workflows and notifications

Pros:

• Best user experience
• Full automation possible
• Comprehensive tracking
• Can handle high volume

Cons:

• Higher cost
• More complex implementation
• May require vendor selection

Best For: Large organizations, high request volume

Request Intake Checklist

Step 1: Choose Your Intake Method

• Evaluate request volume (current and projected)
• Assess available resources (budget, technical capacity)
• Choose intake method (email, form, or portal)
• Document chosen method in privacy policy

Step 2: Set Up Request Channels

• Create dedicated email address (if using email)
• Build web form (if using form)
• Set up ticketing system or database
• Configure automated acknowledgment emails
• Test request submission process

Step 3: Create Request Templates

• Acknowledgment email template
• Identity verification request template
• Request completion template
• Extension notification template (if needed)
• Denial notification template (with explanation)

Step 4: Document Process

• Create internal process documentation
• Train staff on request handling
• Set up request tracking system
• Establish escalation procedures
• Create request response templates

---

Identity Verification

Why Identity Verification Matters

Before processing any data subject rights request, you must verify the requester's identity. This prevents:

• Unauthorized access to someone else's data
• Fraudulent deletion requests
• Privacy violations

Verification Methods

For Email-Based Requests:

1. Send verification email to the email address associated with the account
2. Require requester to click verification link
3. Only process request after verification

For Account-Based Requests:

1. Require user to log into their account
2. Submit request through authenticated portal
3. No additional verification needed (account login is verification)

For Phone/Postal Requests:

1. Request additional identifying information:
   • Account number or user ID
   • Last 4 digits of payment method
   • Date of account creation
   • Recent transaction details
2. Match information against records
3. If match found, process request

Verification Requirements by Request Type

Request Type	Verification Level	Additional Info Needed
Access	High	Email verification + account info
Delete	High	Email verification + account info
Correct	Medium	Email verification
Opt-Out	Low	Email verification usually sufficient
Portability	High	Email verification + account info

Identity Verification Checklist

Step 1: Establish Verification Standards

• Define verification requirements for each request type
• Create verification procedures document
• Determine what information constitutes "sufficient verification"
• Set up process for handling insufficient verification

Step 2: Implement Verification Process

• Set up email verification system (if using email)
• Configure account-based verification (if using portal)
• Create verification request templates
• Train staff on verification procedures
• Test verification process

Step 3: Handle Verification Failures

• Create process for insufficient verification
• Document how to request additional information
• Set timeline for verification attempts
• Create denial template for unverified requests
• Train staff on handling verification failures

---

Access Requests (Right to Know)

What Users Can Request

Users have the right to know:

• What personal data you collect about them
• How you use their personal data
• Who you share their data with (third parties)
• How long you retain their data
• A copy of their personal data in a readable format

What Data to Include

Include:

• Account information (name, email, username)
• Profile information
• Transaction history
• Communication records (emails, support tickets)
• Cookie and tracking data (if stored)
• Marketing preferences
• Location data (if collected)
• Device information (if collected)

Do NOT Include:

• Data about other people
• Confidential business information
• Data that would compromise security
• Anonymized or aggregated data
• Data you don't actually have

How to Locate User Data

Data Sources to Check:

1. Customer databases (CRM systems)
2. E-commerce platforms (order history, customer accounts)
3. Email marketing platforms (subscriber lists, engagement data)
4. Analytics platforms (Google Analytics, etc.)
5. Support systems (ticket history, chat logs)
6. Authentication systems (login records, IP addresses)
7. Cookie/consent databases (consent preferences)
8. Third-party vendors (if they store user data)

Data Compilation Process:

1. Search all systems using user identifier (email, user ID)
2. Export data from each system
3. Compile into single document
4. Remove duplicates
5. Format for readability
6. Include data source information

Response Format

Recommended Format:

• PDF document with clear sections
• Structured data (JSON or CSV) for technical users
• Plain language explanations
• Data source identified for each piece of data
• Date range for time-based data

Example Structure:

Data Access Report for [User Name]
Request Date: [Date]
Report Date: [Date]

1. Account Information
   - Name: [Name]
   - Email: [Email]
   - Account Created: [Date]
   - Source: Customer Database

2. Transaction History
   - [List of transactions]
   - Source: E-commerce Platform

3. Marketing Preferences
   - Email Marketing: Opted In
   - Source: Email Marketing Platform

[... continue for all data categories]

Access Request Checklist

Step 1: Receive and Acknowledge Request

• Receive request through intake channel
• Log request in tracking system
• Send acknowledgment email within 2-3 business days
• Include expected response timeline
• Request identity verification if needed

Step 2: Verify Identity

• Verify requester identity using established procedures
• If verification fails, request additional information
• Do not proceed until identity is verified
• Document verification method used

Step 3: Locate and Compile Data

• Search all data sources using user identifier
• Export data from each system
• Compile data into single document
• Remove duplicates and irrelevant data
• Format data for readability
• Include data source information

Step 4: Review and Prepare Response

• Review compiled data for completeness
• Ensure no other users' data is included
• Format response document
• Include explanation of data categories
• Add contact information for questions

Step 5: Deliver Response

• Send response within required timeline (30-45 days)
• Use secure delivery method (encrypted email or secure portal)
• Confirm receipt with user
• Document response in tracking system
• Close request ticket

---

Deletion Requests (Right to Delete)

What Can Be Deleted

Generally Deletable:

• Account information
• Profile data
• Marketing preferences
• Cookie and tracking data
• Communication records (after retention period)
• Transaction history (after legal retention period)

Cannot Always Be Deleted:

• Data required for legal compliance (tax records, financial records)
• Data needed for ongoing contracts or services
• Data subject to legal holds
• Anonymized data (no longer personal data)
• Data needed for fraud prevention

Deletion vs. Anonymization

Complete Deletion:

• Remove data from all systems
• Delete from backups (when possible)
• Remove from third-party systems (if feasible)

Anonymization (Alternative):

• Remove all identifying information
• Keep data in anonymized form for analytics
• No longer considered "personal data"

When to Use Each:

• Delete: User explicitly requests deletion, no legal requirement to retain
• Anonymize: Data needed for business purposes but can be anonymized

Deletion Process

Step-by-Step:

1. Identify all data locations (same as access request)
2. Check for legal retention requirements
   • Tax records: 7 years (US)
   • Financial records: 7 years
   • Legal holds: Until hold is released
3. Delete or anonymize data based on requirements
4. Notify third parties if data was shared
5. Document deletion (what was deleted, when, why)

Third-Party Deletion

If you've shared data with third parties:

• Notify third parties of deletion request
• Request they delete the data
• Document third-party notifications
• Follow up to confirm deletion (if possible)

Note: Under GDPR, you must inform third parties. Under CCPA, you must notify service providers.

Deletion Request Checklist

Step 1: Receive and Verify Request

• Receive deletion request
• Verify requester identity
• Acknowledge request
• Log in tracking system

Step 2: Assess Deletion Feasibility

• Check for legal retention requirements
• Review ongoing contracts or services
• Check for legal holds
• Determine if deletion or anonymization is appropriate
• Document assessment

Step 3: Execute Deletion

• Identify all data locations
• Delete data from primary systems
• Delete data from backups (when possible)
• Anonymize data if deletion not possible
• Notify third parties if data was shared
• Document what was deleted and when

Step 4: Confirm Deletion

• Verify deletion was successful
• Send confirmation to user
• Document deletion in tracking system
• Close request ticket

---

Correction Requests (Right to Rectify)

What Can Be Corrected

Users can request correction of:

• Inaccurate personal information
• Outdated information
• Incomplete information

Examples:

• Wrong email address
• Misspelled name
• Outdated mailing address
• Incorrect phone number
• Wrong account preferences

Correction Process

Step-by-Step:

1. Receive correction request with details of what needs correction
2. Verify identity of requester
3. Locate data to be corrected
4. Verify correction is appropriate (not fraudulent)
5. Update data in all systems where it appears
6. Notify third parties if data was shared
7. Confirm correction with user

Handling Disputed Information

If user disputes information you believe is accurate:

• Document the dispute
• Add note to record indicating dispute
• Provide explanation to user
• Allow user to add statement of dispute (GDPR requirement)

Correction Request Checklist

Step 1: Receive and Verify Request

• Receive correction request with details
• Verify requester identity
• Acknowledge request
• Log in tracking system

Step 2: Locate and Verify Data

• Locate data to be corrected
• Verify current data value
• Assess if correction is appropriate
• Check for fraud indicators

Step 3: Execute Correction

• Update data in primary systems
• Update data in all related systems
• Notify third parties if data was shared
• Document correction (what changed, when)

Step 4: Confirm Correction

• Verify correction was successful
• Send confirmation to user
• Document correction in tracking system
• Close request ticket

---

Portability Requests

What Is Data Portability?

Data portability allows users to receive their data in a structured, commonly used, and machine-readable format. This is primarily a GDPR requirement, though some US state laws have limited portability requirements.

Portable Data Formats

Recommended Formats:

• JSON (JavaScript Object Notation) - Best for structured data
• CSV (Comma-Separated Values) - Good for tabular data
• XML - Alternative structured format
• PDF - Human-readable but less portable

Best Practice: Provide data in multiple formats (JSON for technical users, PDF for readability)

What Data to Include

Include:

• Data provided by the user (profile information, posts, etc.)
• Data observed about the user (usage data, preferences)
• Do NOT include:
  • Derived data (analytics, inferences)
  • Data about other people
  • Data subject to third-party IP rights

Portability Request Checklist

Step 1: Receive and Verify Request

• Receive portability request
• Verify requester identity
• Acknowledge request
• Log in tracking system

Step 2: Compile Portable Data

• Locate all user-provided data
• Locate all observed data
• Exclude derived data and third-party data
• Format data in portable format (JSON/CSV)

Step 3: Deliver Portable Data

• Create portable data file
• Provide in multiple formats if possible
• Include data dictionary or explanation
• Send via secure method
• Confirm receipt

---

Opt-Out Requests

CCPA/CPRA Opt-Out Rights

Under CCPA/CPRA, users have the right to opt out of:

• Sale of personal information
• Sharing of personal information (for cross-context behavioral advertising)

Opt-Out Methods

Required Methods:

1. "Do Not Sell/Share My Personal Information" link on website
2. Opt-out preference signal (GPC signal)
3. Email opt-out (for email marketing)
4. Phone opt-out (if you collect phone numbers)

Opt-Out Process

Step-by-Step:

1. Receive opt-out request (via link, GPC signal, email, etc.)
2. Verify identity (usually low threshold for opt-out)
3. Process opt-out immediately (within 15 business days under CCPA)
4. Stop selling/sharing user's personal information
5. Honor opt-out for 12 months (then can request opt-in again)
6. Notify third parties to stop using data

Opt-Out Request Checklist

Step 1: Set Up Opt-Out Mechanisms

• Add "Do Not Sell/Share" link to website footer
• Implement GPC signal processing
• Set up email opt-out process
• Configure opt-out in consent management platform

Step 2: Process Opt-Out Requests

• Receive opt-out request
• Verify identity (low threshold)
• Process opt-out immediately
• Stop selling/sharing data
• Notify third parties
• Confirm opt-out with user

Step 3: Maintain Opt-Out Status

• Store opt-out preference
• Honor opt-out for 12 months
• Prevent re-opt-in for 12 months
• Monitor compliance with opt-out

---

Response Timelines and Extensions

Standard Response Timelines

Regulation	Standard Timeline	Extension Allowed	Maximum Timeline
GDPR	30 days	Yes, +30 days	60 days
CCPA/CPRA	45 days	Yes, +45 days	90 days
VCDPA	45 days	Yes, +45 days	90 days
CTDPA	45 days	Yes, +45 days	90 days

When Extensions Are Allowed

GDPR Extensions:

• Complex requests
• Multiple requests from same user
• Must notify user within 30 days of extension

CCPA/CPRA Extensions:

• Cannot reasonably respond within 45 days
• Must notify user within 45 days of extension
• Can extend up to 90 days total

Extension Notification Requirements

Must Include:

• Reason for extension
• New expected response date
• User's right to complain to regulator (GDPR)

Timeline Management Checklist

Step 1: Track Request Timelines

• Log request receipt date
• Calculate response deadline
• Set reminders for deadline
• Track progress toward deadline

Step 2: Request Extensions When Needed

• Assess if extension is needed
• Determine valid reason for extension
• Notify user of extension within original timeline
• Provide new expected response date
• Document extension reason

Step 3: Meet Deadlines

• Prioritize requests by deadline
• Allocate resources to meet deadlines
• Escalate if deadline at risk
• Complete response before deadline

---

Documentation and Record-Keeping

What to Document

For Each Request:

• Request date and time
• Request method (email, form, etc.)
• Request type (access, deletion, etc.)
• Requester identity verification method
• Request details
• Response date
• Response method
• What data was provided/deleted/corrected
• Any extensions requested
• Any denials and reasons

Record Retention

Retention Period:

• GDPR: Keep records for compliance audits (typically 3-5 years)
• CCPA: Keep records for 24 months
• Best Practice: Retain records for at least 3 years

Documentation Checklist

Step 1: Set Up Documentation System

• Choose documentation system (database, ticketing system, spreadsheet)
• Create request tracking template
• Set up automated logging where possible
• Train staff on documentation requirements

Step 2: Document Each Request

• Log request receipt
• Document identity verification
• Record request processing steps
• Document response details
• Record any issues or challenges

Step 3: Maintain Records

• Store records securely
• Retain records for required period
• Regularly review record completeness
• Archive old records appropriately

---

Common Challenges and Solutions

Challenge 1: Locating All User Data

Problem: User data is scattered across many systems, making it difficult to find everything.

Solutions:

• Create data inventory mapping all systems
• Use centralized user ID where possible
• Search by email address (most common identifier)
• Check with third-party vendors
• Document data locations for future requests

Challenge 2: Third-Party Data Deletion

Problem: You've shared data with third parties, and they may not delete it when requested.

Solutions:

• Include deletion requirements in vendor contracts
• Notify vendors of deletion requests
• Request confirmation of deletion
• Document vendor notifications
• Consider vendor's deletion capabilities when selecting vendors

Challenge 3: Legal Retention Requirements

Problem: User requests deletion, but you're legally required to retain some data.

Solutions:

• Clearly explain retention requirements to user
• Delete what can be deleted
• Anonymize data that must be retained
• Document why data cannot be deleted
• Set retention schedules to minimize retained data

Challenge 4: High Request Volume

Problem: Receiving many requests, struggling to process them all.

Solutions:

• Automate where possible (portals, automated responses)
• Prioritize by deadline
• Consider vendor solutions for request management
• Allocate dedicated staff
• Streamline processes

Challenge 5: Identity Verification Failures

Problem: Cannot verify user identity, but user insists they're legitimate.

Solutions:

• Request additional identifying information
• Use account-based verification when possible
• Document verification attempts
• Provide clear explanation of verification requirements
• Consider alternative verification methods

---

Implementation Checklist

Phase 1: Foundation (Week 1-2)

• Choose request intake method
• Set up request channels (email, form, or portal)
• Create request tracking system
• Develop identity verification procedures
• Create request templates (acknowledgment, verification, response)
• Document internal processes

Phase 2: Process Development (Week 3-4)

• Map all data sources and locations
• Create data inventory
• Develop data compilation procedures
• Create deletion procedures
• Develop correction procedures
• Set up portability processes
• Configure opt-out mechanisms

Phase 3: Training and Testing (Week 5-6)

• Train staff on request handling
• Test request intake process
• Test identity verification
• Test data compilation
• Test deletion process
• Test response delivery
• Refine processes based on testing

Phase 4: Launch and Monitoring (Week 7+)

• Launch request intake system
• Monitor request volume
• Track response times
• Review request quality
• Refine processes based on experience
• Regular process audits
• Update documentation as needed

---

Related Documentation

• Web Privacy Regulations Guide - Understand regulatory requirements
• Privacy Risk Remediation Guide - Address privacy risks
• Consent Management Platform Best Practices - Implement consent management
• Privacy Champion Guide - Organizational privacy management

---

Last Updated: 2025-01-17