Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

DSR Fulfillment Timeline: What You Should Know

Published September 12, 2023
Contributors

Anas Baig

Product Marketing Manager at Securiti

Adeel Hasan

Sr. Data Privacy Analyst at Securiti

CIPM, CIPP/Canada

Listen to the content

In today’s digital world, numerous data privacy regulations worldwide have provided control to individuals with respect to their personal data by granting data subjects several rights.

Known popularly as data subject rights (DSR) requests, these allow users to contact organizations collecting and processing their data and exercise their data subject rights, such as the right to access, modify, or delete, among others.

For organizations, honoring DSR requests is a strict legal obligation. Hence, having absolute clarity related to the timeline in which such DSR requests must be honored under applicable privacy laws is critical to eventual compliance with such requests.

Organizations often question when the time to complete a data subject’s right request starts. Does it start when the request comes in or after the identity verification of an individual has taken place? Read on to learn more about the DSR fulfillment timeline under the General Data Protection Regulations (GDPR) and the California Privacy Rights Act (CPRA).

DSR Fulfillment Timeline Under the GDPR

Before an organization can begin addressing a DSR request, it needs clarity on the timeline it should follow. The European Data Protection Board (EDPB) released an updated guide on data subject’s right of access on 28 March 2023, which provides guidance on timelines, suspension, and timeline extension to respond to an access request.

Timeline to respond

Under the GDPR, the time limit for responding to an access request starts when the organization has received the request, meaning when the request reaches the organization through one of its official channels.

The data controller being unaware of the request being made would not affect the time limit in any case. The deadline to respond to an access request is one month under the GDPR. For example, if an organization receives a request on 5 March - the organization has until and including 5 April to comply with the request at the latest.

In another example provided by the EDPB, if the organization receives an access request on 31st August and there is no corresponding date in the next month, the organization must respond to the access request by the end of the next month, which is 30th September.

Suspension of timeline

The time limit may be suspended if the organization is required to communicate with the data subject regarding the data subject's identity. In such a situation, the suspension of the timeline is permitted until the organization has received sufficient information from the data subject regarding his/her identity, provided that the organization has asked for additional information from the data subject confirming his/her identity without undue delay.

In all cases of timeline suspension, the data controller must inform the data subject about the delay, the possibility of lodging a complaint with a supervisory authority, and seeking a judicial remedy within one month of receipt of the request.

In one of the examples provided by the EDPB, a controller reacts immediately following the reception of the request and asks for the information it needs to confirm the person's identity. The data subject replies several days later but with insufficient information regarding the data subject's identity.

In this situation, the timeline's suspension is permitted until the organization has received sufficient information from the data subject to confirm his/her identity. However, the caveat to note here is that the controller has reached out to the data subject without undue delay, asking for identity verification - without undue delay means as soon as possible.

Extension of the timeline

Article 12(3) of the official GDPR text states that DSR requests must be responded to "without undue delay and in any event within one month of receipt of the request…That period may be extended by two further months where necessary, taking into account the complexity and number of the requests."

This indicates that the extension of the timeline is permissible to only two further months only if the request is sufficiently complex or the controller has received a large number of requests from many individuals, provided that the controller has informed the individual of the reasons for the delay and extension within one month of the receipt of the request.

DSR Fulfillment Timeline Under the CPRA

The CPRA provides different timelines for responding to different types of DSR requests depending upon the underlying consumer right exercised.

Timeline to respond

Under the CPRA, the timeline to respond to a DSR request starts on the day on which a business receives the request. One significant difference between the GDPR and the CPRA is that the DSR request verification does not result in suspension of the response time. Rather, a business may deny a DSR request if it is unable to verify the request within the 45-day response period.

Following are different timelines for responding to different types of DSR requests under the CPRA:

Requests to delete, correct, and know

The businesses must respond to the DSR requests to delete, correct, and know within 45 calendar days after the receipt of the request. In addition, the businesses must also confirm the receipt of the request and provide information about how the business will process the request within the 10 calendar days after the receipt of the request.

Requests to opt-out of sale/sharing and limit the use of sensitive personal information

The businesses must respond to the DSR requests to opt-out of sale/sharing and limit the use of sensitive personal information as soon as feasibly possible, but in any case, within 15 calendar days after the receipt of the request.

Extension of the timeline

While the GDPR provides businesses with an option to extend the response period twice where necessary, taking into account the complexity and number of the requests, the CPRA only allows a one-off extension for specific DSR requests.

Requests to delete, correct, and know

The businesses may request an extension in the initial response time of 45 days for all deletion, access, and correction requests when reasonably necessary. However, the businesses must inform the consumer of the extension in the response time and the reason for such extension within the first 45 calendar days from the receipt of the request.

Requests to opt-out of sale/sharing and limit the use of sensitive personal information

The CPRA does not provide for the option of extension in the response time for DSR requests to opt-out of sale/sharing and limit the use of sensitive personal information.

Why Are These Timelines So Important?

Regulatory fines are an obvious reason behind the importance of ensuring all DSR requests are honored within the aforementioned timelines.

Under the GDPR, non-compliance with a DSR request can lead to a €20 million fine or 4% of the organization’s worldwide turnover, whichever is higher. Similarly, under the CPRA, an organization faces a $7,500 fine per intentional violation or $2,500 per unintentional violation.

Therefore, it is important to comply with the DSR fulfillment timelines under the applicable laws to avoid monetary and reputational risks.

How Can Securiti Help

Trust is incontrovertible in ensuring users allow organizations to collect their data. This trust implies that not only will the organization collecting the data use it to enrich the user’s experience further online but will also be proactive in responding to any of their queries related to their data, especially in case a DSR request is made.

However, given the sheer volume of data being collected from thousands, if not millions, of users, manually attempting to keep track and ensure a timely response to DSR requests is an exercise in futility and an unnecessary strain on resources.

Automation is the most efficient and effective way to address such requests.

Securiti has made a name for itself as a pioneer in the data security, governance, compliance, and privacy sectors.

Securiti PrivacyCenter.cloud is an elegant all-in-one solution that helps an organization comply with a myriad of complex and evolving global privacy regulations. In addition to several features, it offers complete real-time oversight of all the organization’s DSR requests.

Moreover, with this solution, organizations can customize their DSR forms based on their unique needs, conduct efficient identity verification, and maintain extensive documentation in case of regulatory reviews, audits, or lawsuits.

Request a demo today and learn more about how Securiti can help your organization fulfill all DSR requests reliably.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
DSPM vs. CSPM – What’s the Difference?
While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
What is SSPM? (SaaS Security Posture Management) View More
What is SSPM? (SaaS Security Posture Management)
This blog covers all the important details related to SSPM, including why it matters, how it works, and how organizations can choose the best...
View More
“Scraping Almost Always Illegal”, Netherlands DPA Declares
Explore the Dutch Data Protection Authority's guidelines on web scraping, its legal complexities, privacy risks, and other relevant details important to your organization.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Top 3 Key Predictions on GenAI's Transformational Impact in 2025 View More
Top 3 Key Predictions on GenAI’s Transformational Impact in 2025
Discover how a leading Chief Data Officer (CDO) breaks down top predictions for GenAI’s transformative impact on operations and innovation in 2025.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New