Most people running a business online never expect to get a legal notice from a “data subject.” The phrase alone sounds like something out of a courtroom drama, but it’s actually just a human asking for what the law already gives them — the right to know what information you’ve got on them. I still remember the first time I got one. The letter looked intimidating: words like “GDPR,” “personal data request,” and “statutory response period” jumped off the page. My first thought? “Am I in trouble?” My second thought? “I really need to understand what this means.”
Turns out, most of the time, it’s not a threat. It’s a request — a person exercising their right to access, correct, or erase their personal information under laws like the General Data Protection Regulation (GDPR) in Europe or the California Consumer Privacy Act (CCPA) in the U.S. These laws were built on one simple idea: people should have control over their own data. They can ask you what you’ve collected, why you collected it, and what you’re doing with it. They can even ask you to delete it entirely.
But here’s the part a lot of small businesses and startups miss — the law expects you to respond. Not later, not “eventually.” Under the GDPR, you’ve got one month to reply, and under the CCPA, you’ve got 45 days. That clock starts the day you receive the notice. Ignoring it or sending a vague reply isn’t just bad form; it can actually lead to fines. The UK Information Commissioner’s Office (ICO) has fined companies for failing to answer legitimate data requests, even when it was just due to disorganization.
So what does a real-world, grounded response look like? The first step is to slow down. Read the request carefully. Who’s making it? Are they asking for access to their data, correction of an error, or deletion (known under GDPR as the “right to be forgotten”)? These distinctions matter. If someone simply wants to know what data you hold about them, you don’t need a legal team — you just need to gather what’s relevant and respond clearly.
When I first dealt with one, I overcomplicated everything. I pulled in my web host, my analytics provider, my email platform — the whole digital neighborhood. But what I learned later from an EU Commission overview is that the spirit of the law isn’t to overwhelm you — it’s to make you transparent. The best response I ever sent was the simplest one: a clear, friendly message that said, “Here’s what we store, why we store it, and how we use it.” I attached a short table with the data fields (name, email, form submissions) and explained how the person could opt out. That’s it. The person even thanked me. They just wanted to know they were seen and heard.
There’s another angle that doesn’t get talked about enough — tone. When you get a legal notice, it’s easy to go defensive. “Why are they doing this?” “Are they trying to sue me?” But the truth is, most data subject requests are made out of curiosity or caution, not hostility. People are overwhelmed by how much of their lives exist in digital systems. The Pew Research Center found that over 70% of Americans feel they have little control over how companies use their data. A good response doesn’t just meet the legal requirement — it restores trust.
Of course, there are limits. If someone asks for data that isn’t theirs, or if fulfilling the request would expose another person’s information, you can say no. The GDPR allows companies to deny requests that are “manifestly unfounded or excessive.” But even then, you’re expected to explain why. The point isn’t to shut people out — it’s to stay accountable.
One friend of mine who runs a small online store got a deletion request from a customer who’d bought products years ago. She panicked, thinking she had to erase every record, even invoices. But the truth is, some data has to stay for legal reasons. Tax records, payment histories — you can’t just delete those. The GDPR itself makes exceptions for compliance with other laws. The key is to tell the person that: “We deleted what we can, but certain records must stay due to tax law.” People usually understand when you communicate with honesty.
Another important piece — document everything. Every email, every response, every clarification. If an authority ever asks how you handled a request, having a record of your process shows you acted in good faith. It’s like insurance against confusion later. The ICO’s guide to data protection explicitly recommends keeping a log of all requests, even informal ones, just to prove you’re tracking them.
I’ll admit, I’ve seen both sides of this. Once, a client of mine received a notice that looked legitimate but turned out to be a scam. The sender copied legal phrases from GDPR templates but used a fake domain to phish for information. That’s another reminder — verify the sender before replying. Look at the email domain, check for digital signatures, and if something feels off, contact the person using a different channel before you hand over any data. The Federal Trade Commission has a great resource on spotting phishing attempts disguised as legal requests.
Here’s what I tell clients now when they ask what to do: breathe first, respond second. You don’t need a lawyer for every request, but you do need to treat it seriously. Answer politely, clearly, and on time. Even if you can’t fulfill the exact request, explain why. Transparency goes a long way. You’re not just following the law — you’re building credibility with the people who trust you enough to use your service.
At its core, data rights aren’t about forms or deadlines — they’re about respect. When someone takes the time to write to you about their information, what they’re really saying is, “I want to feel safe in your hands.” How you answer that question, legally or emotionally, says everything about your integrity.
For more guidance, the UK Information Commissioner’s Office and GDPR.eu both publish free templates for data access and deletion responses. If you’re in the U.S., the California Attorney General’s CCPA portal has an excellent breakdown of business obligations. And if you ever find yourself unsure, remember this: silence breeds distrust. Clarity builds confidence.
So don’t panic the next time you see a data request email in your inbox. Just open it, take a breath, and start from a place of transparency. A respectful response today might be the very thing that keeps your business trusted tomorrow.
