The 7 GDPR data subject rights

  1. Access: Right to know what data you hold
  2. Rectification: Right to correct inaccurate data
  3. Erasure: Right to deletion ("right to be forgotten")
  4. Restriction: Right to limit processing
  5. Portability: Right to receive data in machine-readable format
  6. Object: Right to object to processing
  7. Withdraw consent: Where applicable

Common B2B mistake: "but they're a business contact"

Business contact data is still personal data under GDPR if it identifies an individual. "John Smith, VP at Acme" is personal data even though it's business context. All 7 rights apply.

30-day response window

You must respond to a data subject request within 30 days. Extensions are possible (up to 60 more days) for complex cases, with notification.

Process for handling requests

  1. Verify identity of the requester
  2. Search all your systems for matching records
  3. Compile or delete the data
  4. Respond in machine-readable format (JSON or CSV)
  5. Document the request and response

GDPR-positioned tooling.

Lead4Linked supports 30-day deletion SLA on subject requests.

Start free