Apr 19

How to build a sustainable Data Subject Requests routine

As organizations continue to collect and process vast amounts of personal data, it is crucial to have an efficient and sustainable process for handling Data Subject Requests (DSRs). DSRs are requests made by individuals who wish to exercise their rights under the GDPR, such as the right to access their personal data, rectify inaccurate information, and erase their data.

Building a sustainable DSR routine requires a comprehensive approach that involves understanding and creating points of contact, training employees, deciding on ownership, gathering system knowledge, carrying a DSR register, filtering out information, and stress-testing the process.

Understand and create the DSR points of contact

The first step in building a sustainable DSR routine is to understand the various entry points for DSRs. These include email, web forms, phone calls, and social media channels. It is important to have a clear and user-friendly process for individuals to submit their requests through these entry points.

Train employees

It is crucial to train employees across the organization on how to detect DSRs and who to escalate them to. This ensures that DSRs are handled promptly and by the appropriate teams or individuals. The teams that will be handling the DSRs will have to receive increased training to provide them with a good understanding of the different types of DSRs and the steps involved in responding to them.

Carry a DSR register

DSRs should be documented to keep track of their volume and status. Under GDPR, organizations have 30 days to respond to DSRs. To ensure compliance, it is essential to maintain a DSR register that tracks the progress of each request and the response time. A ticker can be used to ensure that DSRs are responded to within the 30-day time limit.

Identity verification

One critical aspect of handling DSRs is ensuring that the requestor’s identity is verified before responding to the request. GDPR requires that organizations take measures to verify the identity of the requester adequately. The purpose of identity verification is to prevent unauthorized access to personal data.

Organizations can use various methods to verify the identity of the requester, such as requesting proof of identity documents or using two-factor authentication. It is crucial to have a clear and user-friendly process for submitting identity verification documents to avoid delays in responding to DSRs.

Gather system knowledge and streamline data extraction/erasure

It is crucial to have a good understanding of the systems and databases where personal data is stored. This knowledge can help streamline the data extraction and erasure process when responding to DSRs. The Record of Processing Activities (RoPA) can be leveraged to identify where to look for personal data.

Information sifting

Not all DSRs are straightforward, and some may require filtering out irrelevant information or personal data that relates to other individuals before providing a response. Teams responsible for handling DSRs should be trained on how to filter out information properly. Alternatively, organizations can seek the assistance of data protection professionals to filter out the information.

Dealing with Excessive Requests

Organizations may also face excessive or repetitive DSRs from the same requester. Excessive requests can be challenging to manage and may cause a significant workload for organizations. To deal with excessive requests, organizations can consider implementing a limit on the number of requests a single individual can make within a specific period.

Stress-Test the Process

No process is perfect from the get-go. It is highly advisable to stress-test the process. This involves simulating various DSR scenarios and assessing the effectiveness of the process. Any gaps or weaknesses identified during the stress test should be addressed promptly.


Handling DSRs is a critical aspect of GDPR compliance. Building a sustainable DSR routine involves a comprehensive approach that includes understanding and creating entry points, training employees, deciding on ownership, gathering system knowledge, carrying a DSR register, filtering out information, stress-testing the process, and verifying the identity of the requester. Organizations must also have a plan in place to deal with excessive or repetitive requests to avoid overwhelming their resources. By implementing these steps, organizations can efficiently handle DSRs while complying with GDPR requirements.

See more related posts »

Related blog posts