Skip to Content

Welcome!

Share and discuss the best content and new marketing ideas, build your professional profile and become a better marketer together.

Sign up

This question has been flagged
DSR
1 Reply
416 Views
Avatar
CKonnect

A user sends a message saying, "I want to know what data you have on me." There is no mention of the specific right being exercised, no user ID, and the email is from a generic Gmail account. Your organisation operates globally and is subject to both GDPR and CCPA.

How would you handle this request?

  • What steps would you take to verify the identity of the requester?
  • Would you treat it as a formal DSR? Why or why not?
  • What would be your first response to this vague request?

Explain your approach clearly — think legal requirements, practical steps, and risk mitigation.

Avatar
Discard
Avatar
aftab.naukhaiz1997@gmail.com

I would treat the request as a valid data request under GDPR and CCPA. But first I would ask for more details and confirm the identity because this kind of vague data request is a common problem in data privacy.

·      Steps would be taken to verify the identity of the requester.

Send a prompt acknowledgement with a timeframe.

Confirmed registered email – used the registered email of the user.

Non-sensitive identifiers like full name and user ID.

  • Treat it as a formal DSR


Yes, this qualifies as a formal Data Subject Request (DSR) because it clearly invokes a right to access personal data.

  • Under GDPR, Article 15 entitles any person to receive “a copy of the personal data” we hold.
  • Under CCPA, consumers have the right to know the categories and specific pieces of personal data collected.

Even if vague, it triggers the clock for response timelines (one month for GDPR; 45 days for CCPA).

  • Draft first response 


Thank you for your request. To help us locate and provide you with the personal data we may hold, we need to first verify your identity and get some more information from you.

Please respond to this email with the following details:

  1. Your full name as it appears on your account or in our records.
  2. Any user ID, account number, or unique identifier you may have with our organization.
  3. The specific product or service to which your request relates.
  4. A brief description of the type of data you are looking for (account information, transaction history, communication logs or any other specific details).

Once we receive the above-mentioned information, we can proceed with your request in a secure and timely manner. We assure you that we will protect your privacy and ensure that we only provide personal data to the rightful owner.

We will keep this request open and look forward to your response.

Practical steps and risk mitigation.

  • Log the request in your DSR tracking system on day 0.
  • Flag any follow-up needed for identity verification.
  • Escalate unclear or high-risk cases to your privacy officer.
  • Maintain a record of all communications and decisions.

Follow the linkhttps://www.ckonnect.co.in/blog/privacy-team-pulse-7/data-subject-request-dsr-85

Avatar
Discard
Related Posts Replies Views Activity
Can You Deny a DSR if the Request is Weaponized?
DSR
Avatar
Avatar
1
Dec 25
387
How Would You Respond to a "Right to Be Forgotten" Request from an Ex-Employee?
DSR
Avatar
0
May 25
394