A Step-by-Step Guide to Handling Data Subject Access Requests (DSARs)
Receiving a Data Subject Access Request (DSAR) can feel intimidating—especially for small and medium-sized businesses that do not have a dedicated privacy or compliance team. Once a request arrives, the clock starts ticking. Under the General Data Protection Regulation (GDPR), organizations typically have 30 days to respond.
The good news is that DSARs become much easier to manage when you have a clear process in place. With the right approach, businesses can respond efficiently, remain compliant, and avoid unnecessary stress or last-minute scrambling.
Before the steps: What Are Your Legal Obligations?
Under Article 15 of the General Data Protection Regulation, individuals (known as data subjects) have the right to access personal data that an organization holds about them. When someone exercises this right, they submit a Data Subject Access Request.
As a data controller, your organization must provide:
- Confirmation that personal data is being processed
- A copy of the personal data itself
- The purposes of the processing
- Categories of personal data involved
- Recipients or categories of recipients
- The expected retention period
- Information about the individual’s data protection rights
Failing to respond properly can result in complaints, regulatory investigations, and potentially significant penalties. Under GDPR, fines can reach €20 million or 4% of global annual turnover, whichever is higher.
Beyond regulatory risk, mishandling DSARs can also damage customer trust. For organizations receiving requests regularly, dedicated DSAR management tools such as DSARify can help streamline tracking, automate parts of the workflow, and ensure deadlines are not missed.
Step 1: Acknowledge the Request Quickly
While GDPR does not strictly require an acknowledgment email, sending one within 24–48 hours is widely considered best practice. A quick response reassures the requester that their request is being processed and helps your organization document the timeline.
Your acknowledgment message should typically include:
- Confirmation that the request was received
- The official date of receipt
- A reference number for tracking
- The expected response deadline (usually 30 days)
- Any identity verification requirements
- Contact information for your privacy or compliance team
- A brief explanation of what information will be provided
Many organizations use standardized templates for this step. Templates reduce response time, though the process can still be quite manual.
Step 2: Verify the Requestor’s Identity
Before releasing any personal data, you must confirm that the request genuinely comes from the individual concerned—or from someone legally authorized to act on their behalf.
This step is essential. Providing personal data to the wrong person can result in a data breach, which may carry more serious consequences than responding late.
Verification requirements should be proportionate to the sensitivity of the data involved. In some cases, confirming basic account details may be sufficient. For more sensitive records, stronger verification is appropriate.
Common forms of verification include:
- Government-issued photo identification
- Proof of address issued within the last three months
- Confirmation of account details or registered email address
Individuals may redact unnecessary information, such as full ID numbers. If a request is submitted by a lawyer, parent, or other representative, you should also request proof of authorization.
Always document how identity was verified. If identity cannot be confirmed, the response timeline may be paused until adequate information is provided.
Step 3: Search All Relevant Data Sources
This stage often requires the most effort. Personal data can exist across many systems, not just your primary database. A thorough search should cover all locations where personal data might reasonably be stored.
Common data sources include:
- Customer relationship management (CRM) systems
- Email inboxes and archives
- HR and payroll systems
- Marketing and automation platforms
- Payment processors
- Analytics tools
- Customer support platforms
- Third-party processors or vendors
- Backup archives
- Physical paper files
- Cloud storage platforms such as Google Drive or Dropbox
- Internal communication tools like Slack or Microsoft Teams
Maintaining a data inventory or system checklist can make this step much easier. It also reduces the risk of overlooking important sources.
Even if data is held by a third-party processor, the responsibility for responding to the DSAR still rests with the data controller.
Step 4: Prepare and Review the Response
Once the relevant data has been collected, it should be reviewed and organized before being shared with the requester.
A proper DSAR response includes both the personal data itself and the additional contextual information required by GDPR.
Key preparation tasks include:
- Redacting personal data that relates to other individuals
- Removing legally privileged or confidential business information when applicable
- Presenting the data in a clear, understandable format
- Explaining technical identifiers or internal codes in plain language
- Including information about processing purposes, recipients, and retention periods
Whenever possible, have another team member—such as a Data Protection Officer (DPO)—review the response before it is sent. A second review can help catch errors, missing data, or unnecessary disclosures.
Step 5: Deliver the Response Securely
The final response should be delivered using a method appropriate for the sensitivity of the data involved.
Common delivery methods include:
- Encrypted email attachments with passwords shared separately
- Secure document portals or file-sharing platforms
- Password-protected files
- Recorded postal delivery when requested by the individual
Be sure to document how and when the response was delivered, and retain a copy for compliance records.
After the response is sent, the requester may follow up with clarification questions or additional requests. Prompt communication helps prevent complaints being filed with supervisory authorities.
Common DSAR Pitfalls to Avoid
Several common mistakes can cause problems when managing DSARs:
- Starting too late Work on the request should begin as soon as it is received.
- Missing the deadline The 30-day timeframe can pass quickly, especially when multiple systems must be searched.
- Applying weak exemptions Exemptions must be legally justified and documented.
- Over-redacting information Only remove data that must legally be withheld.
- Organizations that receive frequent requests often implement DSAR workflow platforms such as DSARify to track deadlines, centralize searches, and maintain a clear audit trail.
How to Build a Sustainable DSAR Process
Handling DSARs effectively is an opportunity to demonstrate transparency and respect for individual privacy rights. Organizations that manage requests well typically rely on a repeatable internal process supported by templates, defined responsibilities, and regular staff training.
As privacy regulations continue to evolve and awareness of data rights grows, DSAR volumes are likely to increase across many industries. Businesses that build structured processes now will be better positioned to respond quickly and confidently.
For small and medium-sized organizations, automation can significantly reduce the operational burden. Use very focused specific tools that help teams manage request workflows, track deadlines, and generate compliant responses while minimizing manual work.
