Route it immediately to the Data Protection Officer or the designated compliance contact. Do not attempt to handle it independently. The organization has one month to respond, but that clock starts from the date of the request — not from when it reaches the right person. The training covers recognition, escalation, and what not to do.