Hi Everyone, I am the Co-Founder of ECOMPLY.io. I thought about jumping in and helping you all out.
First of all, you need to understand, do you have customers in Europe. If yes, is data your everyday thing? If yes, then you need to comply with Article 30 first. Article 30 asks, how many processes of you have, how many of them have personal data involved, and then tell you to answer purpose, legal basis, category of personal data and deletion request.
Now, how to answer Subject Access Request, once you're done with article 30 i.e. records of processing activities, you'll know what, where and how you obtained that data with the purpose and legal basis. This request will be difficult to answer then:
First of all, you need to understand, do you have customers in Europe. If yes, is data your everyday thing? If yes, then you need to comply with Article 30 first. Article 30 asks, how many processes of you have, how many of them have personal data involved, and then tell you to answer purpose, legal basis, category of personal data and deletion request.
I took an interview from Mailjet how they did it: https://ecomply.io/how-to-become-gdpr-compliant-insights-fro...
Now, how to answer Subject Access Request, once you're done with article 30 i.e. records of processing activities, you'll know what, where and how you obtained that data with the purpose and legal basis. This request will be difficult to answer then:
Here are the 10 steps you need to do: https://ecomply.io/10-critical-steps-to-general-data-protect...
It's a piece of cake then.
Plus, you need to change your way of doing sales & marketing in Europe: https://ecomply.io/pimping-up-your-sales-in-a-post-gdpr-worl...