Requests received via third-party platforms

There are a number of third-party platforms available to the public who claim to make it easier than ever for people to contact organisations and put in an information rights requests such as Subject Access and Erasure. Two of the most common ones organisations have come across are Tap My Data and Rightly.

Carrie James Banner 1

Requests received via third-party platforms

Who are Tap My Data and Rightly?

Both are companies offer similar services at an initial glance but then diverge into very different ways of handling your data.
People (data subjects) are able to sign up for an account and then use these companies to manage their information rights requests, however, this is seemingly where the similarities between these companies end.

Rightly state they receive funding from investors and that they never sell the data that passes through their website to third parties. They are registered with the ICO and do not require an organisation to set up an account to respond to requests via their portal.
Tap My Data, however, appear to make money from their customers who are willing to sell their information to crypto companies and their website pushes the idea that as companies are buying and selling a person’s data, the person themselves may as well sell it on and make the money from it themselves. I was unable to find any details about their ICO registration status or any FAQs about how an organisation can respond to a request received from them.

We have received a request via one of these third-party companies, what should we do?

When deciding whether to respond to a request, there are several considerations needed.

• Did you know a request was going to be received from the data subject?
• Are you happy with the identity of the data subject?
• Have you seen or received evidence that the website has sufficient authority to make the request on behalf of the data subject?
• Is there a requirement to either sign up to the website or pay fees in order to view the request or the data subject’s details?

The ICO consider a request not to be received by an organisation if the above points cannot be confirmed and there is no obligation for an organisation to sign up to these third-party websites to view requests.
It is also considered not received if an organisation is unable to see the request without signing up to the websites.

What are our options for responding?

Remember that if you decide to accept the request as valid, you should still follow your internal policies regarding these requests in checking for ID, where required, and gaining clarity on requests where it is unclear what the requester is seeking. You should also ensure that the third-party website has the appropriate authority to be acting on behalf of the requester (like you would do with a request from a solicitor).
There is no obligation for an organisation to respond through the platform, especially where the organisation would need to sign up, and therefore hand over some personal details, to the website themselves. If you choose to use the platforms to respond, we’d recommend you do due diligence on the company to ensure you are satisfied, as the data controller, that this data transfer is legitimate and safe. If you have concerns regarding whether the
You do also have the option to directly respond to the requester outside of their chosen website and explain that you will handle the request directly with them. You may also want to confirm with the requester if they want the information to be sent to the third-party website portal, or to be sent directly (securely) to them.


• Do your own due diligence on these third-party websites should you choose to use them
• Ensure you are satisfied that the request is legitimate
• Ensure the information is sent to the requester in a secure way, even if this is not via the portal.
• Do not feel obligated to use these websites just because the request has come in via one.