Under POPIA, data subjects have the right to request access to, correction of, and deletion of their personal information. These are known as Data Subject Requests (DSRs), and your organisation must respond within 30 days.
Types of Requests
- Access Request: The data subject wants to know what personal information you hold about them.
- Correction Request: The data subject wants to update or correct inaccurate information.
- Deletion Request: The data subject wants their personal information removed from your systems.
- Objection: The data subject objects to the processing of their personal information.
The 30-Day Deadline
POPIA requires you to respond to DSRs within 30 days of receipt. This means:
- You need a system to track when requests are received
- You need clear internal processes for handling each type of request
- You need to document your responses for compliance evidence
Best Practices
- Verify identity — Before disclosing any information, verify the requester's identity to prevent unauthorised access.
- Log everything — Maintain a complete record of all requests, actions taken, and responses sent.
- Set up alerts — Use deadline tracking to ensure no request goes unanswered past 30 days.
- Establish a public intake form — Make it easy for data subjects to submit requests through a branded online form.
Automating DSR Management
POPIAdesk provides a complete DSR management system including a public intake form for your organisation, deadline tracking with automatic warnings, and response templates for each request type.