Templates · Compliance & Safety
Data subject request (DSAR) handling SOP template
Receive, verify, fulfill, and document privacy requests — access, deletion, export — inside the legal clock, without making it up per request.
For: Whoever answers privacy@ — usually support or ops wearing the compliance hat.
Privacy requests arrive rarely enough that nobody remembers the process and legally enough that winging it is dangerous. GDPR gives you a month; CCPA 45 days; both punish silence harder than imperfection. This template is the checklist you’ll be glad exists the day a deletion request lands in the support queue.
Adapt to the regulations that actually apply to you, and have counsel review the result — this is a template, not legal advice.
Intake
Recognize a request wherever it lands
DSARs don’t arrive labeled. “Delete my account and everything you have on me” in a support ticket is a legal request. Train everyone who touches inbound channels to recognize the patterns — access (“what do you have on me?”), deletion, correction, export/portability, and marketing opt-out — and route them to the privacy queue the same day. The clock starts when the request arrives, not when the right person notices it.
Log it immediately
One register entry per request: date received, requester, channel, request type(s), regulation likely in play, and the statutory deadline computed now. Acknowledge receipt to the requester within three working days, stating the deadline you’re working to.
Verification
Verify identity proportionally
Before disclosing or deleting anything, verify the requester controls the identity in question — normally by confirming from the account’s registered email or an in-product request. Ask for the minimum extra proof necessary; demanding a passport scan for a newsletter opt-out is its own privacy failure. Requests from third parties (lawyers, family members) require documented authority.
Scope the request
Confirm in writing what the requester wants — many “delete everything” requests, once acknowledged, become “actually just stop the emails”. Clarifying is allowed and pauses nothing unless the regulation says otherwise; guessing serves no one.
Fulfillment
Know your data map
Fulfillment is only hard when you don’t know where personal data lives. Maintain the map as part of this SOP: production database, backups, analytics, support tickets, email marketing, payment processor, logs, and each vendor from the vendor register that touches personal data. Every fulfillment walks this list — that’s what “we deleted your data” actually means.
Execute by type
Access/export: compile the person’s data from the map into a readable format; exclude other people’s data and anything legally exempt. Deletion: delete or anonymize across the map, including forwarding the request to relevant processors; document what’s retained under legal obligation (invoices, tax records) and say so in the response. Correction: fix, confirm, done. Record each system touched with a timestamp as you go.
Respect the exceptions honestly
You may retain what the law requires you to keep (financial records) or what an active legal claim needs — but the response must name the retained categories and the reason, not silently keep things.
Response and records
Respond inside the clock
The final response states what was done per system category, what was retained and why, and where to complain (your DPA contact, the supervisory authority). If a complex request genuinely needs the extension your regulation allows, invoke it in writing before the original deadline.
Keep the file
Register entry, verification evidence, the fulfillment checklist with timestamps, and the response — kept together. This file is your defense if a regulator ever asks; the request you handled well but can’t prove is legally identical to one you ignored.
Quiz — the reflex checks
- A deletion demand arrives as an angry support ticket. When does the legal clock start?
- What do you verify before disclosing data, and what’s over-verification?
- Can you delete invoices on request? What must the response say instead?
- Name the systems on our data map from memory — then check what you missed.
Related templates
Procedures that pair with this one
Workplace incident reporting
Immediate response, factual reporting, investigation, and corrective action for workplace injuries and near-misses — with signatures where acknowledgment is required.
View templateEmployee offboarding & access revocation
The security-critical exit checklist: access revoked in the right order, equipment recovered, knowledge handed over, and a signature confirming it all happened.
View templateSupport escalation
When to escalate, to whom, and with what context — so hard tickets move up with their history attached instead of starting over.
View templateUse this template
Make it your team's living procedure
Import this template into Playbook, adapt it with Smart Outline, and assign it — with the quizzes, signatures, and version history built in. Published playbooks ground your Airclou Helpdesk AI, too.
Free 14-day trial · No credit card · Cancel anytime