Skip to main content
HubSecure
Menu

Blog

The Complete Guide to Data Subject Rights for Small Businesses

When a customer asks to see, correct, or delete their data, you have legal obligations and deadlines. This guide explains every data subject right, when it applies, and how to build a process that handles requests without disrupting your business.

· By HubSecure Compliance

A customer emails asking for a copy of all the data you hold about them. A former employee requests deletion of their records from your systems. A prospect asks you to stop sending them marketing and remove their details from your database. A job applicant asks why their application was unsuccessful and wants to see any profiling data used in the decision.

These are all data subject requests. Under GDPR and equivalent laws, you have legal obligations when they arrive — and a one-month deadline to respond.

Most small businesses have never received a formal data subject request. Most will, and many have already received informal equivalents that they handled without recognising the legal framework. This guide explains every right that individuals have, when each applies, and how to build a process that handles requests without disruption.

The seven rights

Right of access (Article 15 GDPR)

What it is: an individual can request a copy of all personal data you hold about them, together with information about how you are using it.

What you must provide:

  • Confirmation of whether you process personal data about them
  • A copy of the personal data (in a commonly used electronic format if requested)
  • The purposes for which you process it
  • The categories of data you process
  • Who you share it with (recipients or categories of recipients)
  • How long you retain it
  • Information about their other rights
  • The source of the data if not collected directly from them

Timescale: one month. Extendable by two months for complex or numerous requests, but you must notify the individual of the extension within the first month.

Common mistakes: providing an incomplete response (missing data from some systems), providing data relating to other individuals in the response (redact third-party information), failing to provide the supplementary information required alongside the data copy.

When it may not apply in full: where disclosure would adversely affect the rights of others, or where legal professional privilege applies to specific documents.

Right to rectification (Article 16 GDPR)

What it is: an individual can request correction of inaccurate personal data you hold about them, and completion of incomplete personal data.

What you must do: correct the inaccuracy or complete the data without undue delay, and within one month at the latest. If you have shared the inaccurate data with processors or other recipients, you must inform them of the rectification.

When you can decline: you do not have to accept a “correction” that would make your records inaccurate — for example, if someone requests you change a date to one you have contemporaneous evidence is wrong. Document your reasoning.

Right to erasure (“right to be forgotten”) (Article 17 GDPR)

What it is: an individual can request deletion of their personal data. This is often the most anxiety-inducing right for small businesses, but it is subject to important limitations.

When it applies:

  • The data is no longer necessary for the purpose for which it was collected
  • The individual withdraws consent (where consent was the lawful basis)
  • The individual objects to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required to comply with a legal obligation

When it does not apply:

  • You are processing the data under a legal obligation (e.g., tax records must be retained for a defined period)
  • The processing is necessary for the establishment, exercise, or defence of legal claims
  • The processing is necessary for archiving, research, or statistical purposes in the public interest

Common practical situation: a former customer requests erasure. You can delete their marketing data and general contact records. You cannot delete invoices and payment records if you are legally required to retain financial records for seven years. Explain clearly what you are deleting and what you are retaining and why.

Right to restriction of processing (Article 18 GDPR)

What it is: an individual can request that you stop processing their data (without necessarily deleting it) in specific circumstances.

When it applies:

  • They contest the accuracy of their data — restrict processing while you verify accuracy
  • The processing is unlawful but they prefer restriction to erasure
  • You no longer need the data but they need it for legal claims
  • They have objected to processing and you are assessing whether your legitimate grounds override their objection

What restriction means in practice: you retain the data but stop processing it, except for storage. You must inform the individual before lifting a restriction.

Right to data portability (Article 20 GDPR)

What it is: an individual can request a copy of their personal data in a structured, commonly used, machine-readable format, and can request that you transmit it directly to another controller.

When it applies: only where the lawful basis is consent or contract, and the processing is carried out by automated means.

Practical scope for SMBs: this right typically applies to data that the individual provided to you directly — their profile information, their transaction history, their preferences. It does not apply to data you derived or inferred about them.

Format: CSV is generally acceptable. The individual should be able to take this file and import it into a comparable service.

Right to object (Article 21 GDPR)

What it is: an individual can object to processing of their personal data.

Absolute right — direct marketing: if an individual objects to processing for direct marketing purposes, you must stop immediately. There are no grounds on which you can continue. This applies to profiling for marketing purposes as well.

Qualified right — legitimate interests: if your lawful basis is legitimate interests (or public task), the individual can object. You must stop unless you can demonstrate compelling legitimate grounds that override their interests, rights, and freedoms, or the processing is for the establishment, exercise, or defence of legal claims.

Rights related to automated decision-making (Article 22 GDPR)

What it is: individuals have the right not to be subject to a decision based solely on automated processing that significantly affects them.

When it applies: automated credit decisions, automated recruitment screening, automated pricing, and similar. If a human meaningfully reviews and can override the automated decision, this right typically does not apply.

For SMBs: most SMBs do not conduct purely automated decision-making of the type that triggers this right. If you use AI tools in client-facing decisions, review whether the human oversight in your process is meaningful or performative.

Building the process

Step 1: Create a designated request channel

Establish a dedicated email address or form for data subject requests (e.g., privacy@yourbusiness.com or data@yourbusiness.com). This ensures requests are not lost in a general inbox and creates a clear starting point for tracking.

Step 2: Build a request log

Maintain a simple spreadsheet or system entry for every request received, recording: date received, type of request, name of individual, deadline (one month from receipt), status, and outcome.

Step 3: Write standard acknowledgement templates

Prepare template responses for each type of request acknowledging receipt, confirming the deadline, and asking for identity verification if required.

Step 4: Map your data systems

You cannot respond to an access or erasure request without knowing where personal data lives. For each type of request, document which systems need to be checked: CRM, email, cloud storage, accounting software, HR system, marketing platform, and any other tool where customer or employee data may exist.

Step 5: Assign responsibility

One named person should own data subject rights responses. For a small business, this may be the owner or a senior manager. For a larger SMB, it may be the person responsible for compliance. Without a named owner, requests fall through the gaps.

Step 6: Test the process

Before a real request arrives, run a test. Use a team member’s name and walk through the process end to end: receiving the request, logging it, identifying all relevant data, preparing the response, and meeting the deadline. The gaps revealed in a test are far cheaper to fix than those revealed in a complaint investigation.

Handling difficult requests

Requests from individuals you cannot identify: you are entitled to ask for information to verify the individual’s identity before responding to a request. You cannot ask for disproportionate identification. A reasonable request for a name, email address, and one confirming detail is acceptable.

Requests that would reveal third-party data: if responding to an access request would require disclosing personal data about another individual (e.g., emails that include a colleague’s details), redact the third-party information before responding.

Manifestly unfounded or excessive requests: you may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive. This exception is interpreted narrowly by supervisory authorities — document your reasoning carefully if you rely on it.

Requests from former employees: former employees retain the same rights as current employees. The retention obligations that apply to their data (payroll records, tax records, legal claim-related records) still apply; data that is no longer necessary must be deleted.

The documentation requirement

Every request handled, the decision made, and the outcome must be documented. This documentation is what you present to a supervisory authority if a complaint is made about how you handled a request. Without it, the complaint investigation proceeds on the individual’s account of events rather than yours.

The documentation does not need to be elaborate. The request log entry with the timeline, the decision, and the response is sufficient for most requests. For complex decisions — particularly partial refusals or exemptions claimed — document the reasoning at the time of the decision, not after a complaint has been made.