Handling privacy access requests with a small team playbook
Short answer: When someone asks what you hold about them, treat it as a structured request: verify identity, search common systems, respond within required timelines, and document what you did.
Even tiny NZ teams benefit from a half-page playbook instead of improvising under stress.
Lightweight workflow
- Intake log: date, channel, requester details, scope of ask.
- Identity check: proportionate to sensitivity—avoid handing data to impersonators.
- Data map sweep: CMS forms, inbox, CRM, accounting, support tickets.
What you might redact or withhold
Other people’s personal information, privileged legal material, or trade secrets may require careful handling—this is where professionals help.
After you respond
Archive the decision briefly (not forever) so repeat requests do not restart from zero. If you corrected data, update source systems so the error does not respawn.
Frequently asked questions
Do we need a portal?
No—email plus a checklist can suffice at small scale if you stay organised.
What if data is in a contractor’s tool?
Contracts should clarify subprocessors and assistance with access requests.