Handling Information

When a Customer Asks About Their Data

Foundational

People have legal rights over their personal data — to see what we hold, correct it, or have it deleted. If a customer asks, it matters that the request reaches the right team quickly and that you verify who's asking before sharing anything. You don't have to handle it yourself; you do have to recognise it and pass it on properly.

Under data-protection law, individuals can make requests like "send me all the data you hold on me" (a subject access request), "correct this", or "delete my data". These come with legal deadlines, so a request that sits unnoticed in someone's inbox is a compliance problem. They're also a target for fraudsters pretending to be a customer to extract someone's data.

Your job as anyone who might receive one: spot it, route it to the right team straight away, and never hand over personal data without proper identity verification.

Recognise and route

AlwaysPass any request from a customer to access, correct, delete, or get a copy of their personal data to the right team/process promptly — there are legal deadlines.
DoRecognise these requests even when informally worded ("what do you have on me?", "please delete my account and data") — they still count.
DoLog/forward it so it's tracked, not left sitting in a personal inbox or chat.
ConsiderAsking the responsible team if you're unsure whether something counts — better to flag it than miss a deadline.

Verify before sharing

DoMake sure the person is who they say they are (through the proper verification process) before any data is shared — impersonation is a real risk.
DoShare personal data only through approved, secure channels and the proper process — never just reply with it (see Handling Customer Data).
NeverSend someone's personal data to a requester without verified identity and the proper process — a fraudster posing as the customer is exactly how data gets stolen.
NeverDelete or change customer records yourself in response to a request outside the proper process — regulated records have rules about what can be removed (see related engineering guidance).

Ask yourself

AskIs this a request about someone's own personal data? Then route it to the right team now.
AskHave I confirmed the requester really is who they claim before anything is shared?
AskAm I about to handle this myself when it should go through the proper process?

Why it matters: Data-subject requests carry legal deadlines and real consequences if missed or mishandled — and they're a favourite trick for fraudsters trying to extract someone's personal data by impersonation. Recognising them, routing them fast, and never sharing data without verified identity protects both the customer and the company.