Read also: 83 percent do not answer correctly when asked for access
GDPR Article 15 gives everyone the right to know what a company stores about them. When the request comes in, you have 30 days on you. The response shall include a copy of all personal data, the purposes of the processing, who the data is shared with, and how long it is stored.
Most companies have never tested the process. Who receives the request? Who collects the data from all the systems — CRM, email, HR, accounting? Who quality assures the answer?
noyb's April 2026 analysis showed that over 83 percent of all access requests they sent received an incomplete or entirely absent response. The most common errors included incomplete information about recipients, missing retention periods, and data that was simply omitted.
**Practical point:**
Create a simple insight routine — one A4 page with three items. Who is responsible for receiving and responding to requests? Which systems contain personal data? And what should the response include? Test the routine with a colleague who is playing the role of a data subject.
Inspired by: noyb