Managed request operations

Run every GDPR data request as one controlled case.

Trace is an early-access concierge service for product teams whose user data is spread across cloud tools. It scopes the request, organises available evidence and prepares a response pack for authorised human review.

The operating problem

The request is one email. The work is not.

A single person may appear in authentication, product, billing, support and storage systems under different identifiers. The legal deadline does not create an operational owner.

01 / INTAKE

Capture what was actually asked

Record the right being exercised, received time, identity status, scope and response target—without assuming every privacy email is the same request.

02 / SOURCES

Map the evidence path

Link identifiers to the relevant systems, document access methods and make missing or uncertain sources visible.

03 / REVIEW

Keep judgement with people

Put the export, response draft, exception notes and event timeline in front of an authorised reviewer.

One review boundary

What a review-ready pack contains.

The exact output depends on the right, verified scope and available records. Trace does not describe a pack as complete when a source or decision is still outstanding.

01 / CASE

Case summary

Request classification, identity state, scope, dates, customer instructions and open questions.

02 / EVIDENCE

Source inventory

Records located by source, retrieval method, identifier and any known coverage gap.

03 / ACTION

Reviewed next step

Draft response or action plan, exception flags, delivery package and timestamped case events.

Legal clock, operational plan

The controller still owns the response.

Under GDPR Article 12, the controller must provide information on action taken without undue delay and, in general, within one month. A further two months may be available where necessary because of complexity or number of requests, but the individual must be informed within the first month. The European Data Protection Board explains the timing; the legal text is in Article 12 GDPR.

Trace’s proposed 24-hour target is deliberately narrower: assemble the available case materials for review. It is not a replacement deadline, legal guarantee or promise that a request can always be closed the next day.

Product truth: Trace is pre-launch. Connector coverage, reviewer capacity, security terms and the 24-hour service target must be confirmed in an accepted pilot scope before live personal data is handled.

Start with the request you actually receive

A right-of-access request has specific requirements under Article 15 GDPR. Erasure, rectification, restriction, objection and portability are distinct rights with their own conditions. The workflow should preserve that distinction and escalate uncertainty rather than force every case through the same template.

Scope before automation

Questions product teams ask first.

Clear boundaries matter more than broad feature claims when personal data and legal rights are involved.

Which GDPR requests can enter the workflow?
The proposed workflow can record access, erasure, rectification, restriction, objection and portability requests. Each right has different legal conditions and outputs, so Trace records the request type and routes uncertainty to an authorised reviewer rather than treating every request as a DSAR.
Does the 24-hour target mean the request is legally complete?
No. The early-access target is a review-ready case pack within 24 hours for an accepted, in-scope request once required access is available. Identity questions, unavailable systems, third-party data and legal decisions can extend the work. The controller remains responsible for responding without undue delay and generally within one month.
Who decides what is disclosed or deleted?
An authorised human reviewer. Trace is being designed to assemble evidence, document gaps and prepare a draft. It does not autonomously determine exemptions, resolve competing rights or approve a response.
Can we start without permanent connectors?
Yes. An early pilot may use controlled exports, time-limited read-only access or a customer-operated query. The access method is agreed source by source. No live request data should be sent through the public pilot form.

A controlled first request

Make the next GDPR request a controlled case—not a company-wide search.

Start with one scoped request. Trace is preparing a limited number of concierge pilots for modern product teams.