Your legal team just received a formal request from a former customer asking for every piece of personal data you hold about them. You have 30 days. The law is clear. The problem is everything else.
Where is the data? Which systems hold it? Who owns each one? How do you pull it all together into a complete, defensible response before the clock runs out?
This is the operational reality of privacy compliance in 2026. The legal frameworks — GDPR in Europe, CCPA in California — are well-established. The rights they grant are clear. But the infrastructure required to actually fulfill them? That's where most enterprises struggle.
The Legal Framework: GDPR, CCPA, and the Rights They Create
Two regulations dominate data privacy compliance for most businesses operating today:
The General Data Protection Regulation (GDPR) came into effect in May 2018 and applies to any organization that processes personal data of EU residents — regardless of where the organization is based. It is the most comprehensive data privacy law in effect globally.
The California Consumer Privacy Act (CCPA), effective since January 2020 and strengthened by the California Privacy Rights Act (CPRA), grants similar rights to California residents. It is the most significant state-level privacy law in the United States, and its influence is spreading — over a dozen other states have passed or are passing comparable legislation.
Both regulations create two rights that directly impact how companies manage their data infrastructure:
The Right of Access — Data Subject Access Requests (DSARs)
A Data Subject Access Request (DSAR) is a formal demand by an individual to receive a copy of all personal data a company holds about them, along with information about how it's being processed and with whom it's been shared. Under GDPR, companies have 30 days to respond (extendable to 90 days in complex cases). Under CCPA, the window is 45 days. The response must be complete. A partial response is non-compliance.
The Right to Erasure — Right to Be Forgotten (RTBF)
The Right to Be Forgotten (RTBF) — formally called the right to erasure under GDPR Article 17, with an equivalent under CCPA — gives individuals the right to request that a company delete all personal data it holds about them. The obligation applies across every system where the data exists. Companies must also notify any third parties to whom the data was disclosed.
The penalties for getting this wrong are not theoretical. GDPR fines can reach €20 million or 4% of annual global turnover — whichever is higher. Under CCPA, consumers have a private right of action for data breaches, with statutory damages of $100–$750 per consumer per incident. Regulatory enforcement has intensified steadily since 2018, and regulators assess completeness, not just timeliness.
"Regulators don't just check whether your DSAR response arrived in time. They check whether it was complete."
The Real Problem: Data Fragmentation
Understanding DSARs and RTBF isn't the hard part. Any competent legal team can read the regulation. The hard part is operationalizing compliance across an enterprise data stack that was never designed with privacy requests in mind.
A single individual's personal data doesn't live in one place. In a typical mid-size company, it's distributed across:
- CRM — contact records, deal history, sales notes, account activity
- Email — correspondence across multiple inboxes, shared accounts, and archived threads
- Support platforms — tickets, live chat transcripts, internal agent notes
- Internal communications — Slack threads, meeting notes, internal documents referencing the individual
- Billing and finance — transaction records, invoices, payment history
- Marketing platforms — campaign history, behavioral tracking, consent and opt-out records
According to Gartner, the average manual DSAR costs approximately $1,524 to fulfill. That cost isn't primarily legal review — it's the time spent locating the data. Teams across sales, support, marketing, and engineering are pulled into a cross-functional scramble that nobody planned for and nobody owns.
And that's assuming the search is thorough. The real risk is the incomplete response: records that exist but were never surfaced because someone forgot to check that system, or assumed someone else had.
DSARs in Practice: One Request, Seven Teams, Three Weeks
Consider a realistic example. A former customer — call her Maya Osei — files a GDPR DSAR with a mid-size SaaS company. She's entitled to everything: emails, support tickets, CRM records, any internal notes that reference her by name.
Without a unified data layer, the compliance officer sends requests to seven different teams. Each team exports data from their own system in their own format on their own timeline. By day 22, the compliance officer has a collection of spreadsheets, CSV exports, and forwarded email threads — and no reliable way to know whether anything was missed.
The response goes out on day 28. It probably isn't complete. Nobody can say with confidence that it is.
"An incomplete DSAR response isn't just a compliance failure. In front of a regulator, it looks like concealment."
How Overstand Changes the Workflow
Overstand isn't built as a compliance tool. It's a unified data foundation — ingesting first-party data from across an organization's systems (CRM, email, Slack, support, HR, documents) and making all of it queryable from a single interface. The compliance benefit is a direct consequence of that architecture.
When a DSAR arrives, the workflow changes entirely:
Query by subject identity
Run a natural language query: "Show me all records, communications, and data associated with Maya Osei." Overstand searches every connected system simultaneously — no team coordination required.
Review a complete, structured response
Every matching record — CRM entries, emails, support tickets, internal mentions — surfaced in one place, organized by source and system, with timestamps and provenance intact.
Export with a clean audit trail
The query, its results, and the timestamp are logged. If a regulator asks how the DSAR was fulfilled, you have a complete, defensible record — not a collection of forwarded emails and best-effort exports.
RTBF: The Map, Not the Delete Button
The Right to Be Forgotten (RTBF) is operationally harder than a DSAR. A DSAR requires you to find and disclose the data. RTBF requires you to find it and coordinate its deletion across every system where it lives — including notifying any third parties you've shared it with.
Most RTBF failures aren't bad faith. They're incomplete maps. Three teams delete their records. Two didn't know they had any. A third-party vendor never gets notified. The deletion is technically attempted but structurally impossible to complete without a complete inventory first.
Overstand's role in RTBF is precise: it provides the map. A query surfaces every system holding the individual's data — CRM, email threads, support tickets, internal notes, billing records. That inventory is handed to the teams who own each system with a clear, structured checklist: delete this, here, here, and here.
Overstand doesn't replace the source systems' deletion mechanisms. It tells you what to trigger, and where — replacing the manual archaeological dig with a structured handoff.
"You can't delete what you can't find. Most RTBF failures aren't bad faith — they're incomplete maps."
What In-House Counsel Actually Needs
When a DSAR or RTBF request arrives, in-house counsel needs to answer two questions — and answer them confidently:
- Where is this person's data? A complete, verified answer — not a best effort.
- Can we prove we responded correctly? An auditable record, timestamped and complete — not a pile of forwarded emails.
The companies best positioned for GDPR and CCPA compliance aren't the ones who invested in a dedicated privacy portal. They're the ones who already know where their data is — because they built the infrastructure to actually use it.
That's what Overstand provides. The same unified data foundation that powers customer intelligence, document analysis, and operational insight is the foundation that makes DSARs answerable in hours — and RTBF requests structured rather than approximate.
Data Subject Access Requests don't care how many systems your data hides in. The regulation just sets the clock. What matters is whether you can find the answer before it runs out.