The first challenge: how do you find all the relevant data when you receive a “Right to access,” a “Data Portability” or a “Right to be forgotten” request from an EU resident? Expecting that anyone can manually login to every application and storage system used by your organization and locate the right data is unrealistic. Not only would this be time-consuming, but it opens the door to the risk of data being missed or data being included that is not within scope.
It would be far more practical to run a single search request against the storage system that then matches all relevant data that is within scope. Of course, depending on the type of request, the scope may change.