You mean request to be forgotten? Are you seriously lacking an automated removal process if you have more than a thousand users and also can't keep it in a three month deadline?
Oor is it collecting so much data that you cannot just send it all to the requestee?
If it would take a decade, then it is a broken business that should cease to exist as it is doing something illegal with the collected data.
What kind of business is it?
If this is such a serious concern, you should automate this process as much as possible. You don't necessarily need to respond manually to these requests if you put in place the required features on your website which will allow your EU data subjects to benefit from their rights.
Realistically, how hard is it to automatically grab some data from a database and export it as JSON, as well as remove data from your database pertaining to a user? With a relational database, this would be a cinch. I mention the right to access the erasure right, as I estimate these will be the most frequently called upon.
Depends on your system. We have an automated process that produces a PDF, which a human will then go through and redact so we're not leaking through the
non-relevent PII of other people if one of our users isnt using the system quite properly.
If you have a lot of “members” you obviously provide the services by the automated process. Obviously the request processing could also be mostly automatic.
