Who fulfills a data subject access or deletion request, and which department is accountable if the deadline is missed?
Data subject access and deletion requests are rarely handled by one person. Fulfillment is a coordinated workflow, while accountability for meeting the deadline rests with a designated owner. Confusing the two is the most common reason requests are missed.
Who actually fulfills the request
Several roles touch a request before it is complete:
- Intake/privacy office — receives the request, verifies the requester’s identity, and logs the clock start. In government, this often parallels the Privacy Act request process.
- Records and IT teams — perform the actual search across systems, applications, and backups to locate the relevant personal data.
- Business/data owners — confirm what may be disclosed, redacted, or deleted, and flag any legal hold or retention requirement that blocks deletion.
- Legal/compliance — reviews exemptions, applicable retention obligations, and the final response.
Deletion adds a wrinkle: data under a litigation hold or a mandatory retention schedule generally cannot be erased until that obligation lapses. Fulfillment teams must reconcile the individual’s request with those duties before acting.
Who is accountable for the deadline
Fulfillment is shared, but accountability should be assigned to a single owner — typically a privacy officer, data protection officer (DPO), or designated records/compliance lead. That role:
- Tracks the statutory or policy clock from the verified request date.
- Coordinates the contributing teams and escalates bottlenecks.
- Approves any permitted extension and documents the justification.
If the deadline is missed, accountability falls to that designated owner and, ultimately, the organization itself — not the individual analyst who ran a search. Regulators and courts look at whether the organization had a defined process, clear ownership, and a defensible record of its actions.
Make it defensible
The practical safeguards are governance, not heroics:
- A written procedure naming the accountable owner and each contributing role.
- A tracking log with dates, decisions, and extension rationale.
- Retention schedules and hold rules referenced before any deletion.
For related guidance, see the privacy and PII topic hub.
A clear RACI — who does the work, who is accountable, who must be consulted — turns a scramble into a repeatable, auditable response.
Sources & further reading
Authoritative government and non-profit references.
- Privacy Act of 1974 — U.S. Department of Justice
- NIST Privacy Framework — NIST
How to cite this page
APA
RM University Editorial. (2026). Who fulfills a data subject access or deletion request, and which department is accountable if the deadline is missed?. Records Management University. https://www.recordsmgmt.org/questions/who-fulfills-a-data-subject-access-or-deletion-request/
MLA
RM University Editorial. "Who fulfills a data subject access or deletion request, and which department is accountable if the deadline is missed?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/who-fulfills-a-data-subject-access-or-deletion-request/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?