What to Do If You Receive a DSAR – A Practical GDPR Compliance Guide

What to Do If You Receive a Data Subject Request (DSAR): A Practical Response Plan

Introduction

Under the GDPR and UK GDPR, individuals have the right to request access to the personal data your business holds about them. These are known as Data Subject Access Requests (DSARs). While the process sounds straightforward, many companies are underprepared and at risk of non-compliance.

This article walks you through the key steps to handle DSARs efficiently and lawfully—without panic, delay, or legal exposure.

What Is a DSAR?

A DSAR is a formal request from an individual asking to:

  • Access the personal data you hold on them
  • Understand how their data is being used
  • Request correction or deletion
  • Object to processing or restrict it

You have one month to respond—and in some cases, up to three months for complex requests. Failure to respond on time or accurately can lead to complaints or regulatory penalties.

Why DSARs Matter

  • Regulators like the ICO treat DSARs seriously. Mishandling one is often a trigger for wider investigations.
  • Fines can follow even without a data breach if rights are denied or ignored.
  • Responding properly builds trust and demonstrates accountability.

Step-by-Step DSAR Response Plan

✅ 1. Set Up a Clear Intake Process

  • Create a centralised request form or contact email
  • Publish instructions in your privacy policy
  • Ensure the request reaches the right internal contact quickly

✅ 2. Verify the Identity of the Requester

  • Ask for proof of identity if needed
  • Be cautious with sensitive personal data disclosures

✅ 3. Locate All Relevant Data

  • Search across email, databases, CRMs, and cloud tools
  • Include data held by processors (vendors)

✅ 4. Redact Third-Party Information

  • Ensure you don’t disclose personal data about others
  • Use redaction tools where necessary

✅ 5. Assemble the Response Pack

Include:

  • Categories and sources of data
  • Purpose of processing
  • Recipients of the data
  • Retention periods
  • A copy of the personal data itself

✅ 6. Respond Within 30 Days

  • Deliver the pack securely (encrypted email or portal)
  • Offer contact details for further questions

✅ 7. Log the Request Internally

  • Keep a DSAR register with timestamps, response method, and handler
  • Use this for compliance audits and future reference

Common Mistakes to Avoid

  • Delaying verification or ignoring ambiguous requests
  • Not training staff on how to escalate DSARs
  • Failing to search across all relevant systems
  • Missing personal data stored in SaaS tools
  • Responding without legal or privacy review

How We Can Help

At DPO & Privacy Support, we help organisations:

📘 Need to train your staff on DSAR handling and GDPR basics? Explore our Privacy Training on GDPR, CCPA, AI & Global Regulations.

📄 Unsure if your privacy notices or consent mechanisms are up to date? Review or create your Privacy Notice with expert help.

🌍 Working internationally? Check out our GDPR Compliance Guide for Non-EU Companies.

👤 Need ongoing compliance support? Learn more about our DPO-as-a-Service.

📝 Need help with vendor agreements or SCCs? We draft and review DPAs and data privacy contracts.

  • Build efficient DSAR workflows and secure response templates
  • Train staff to handle requests with confidence
  • Conduct readiness audits to reduce risks
  • Act as your outsourced DPO to manage requests end-to-end

📩 Need help responding to a DSAR right now? Contact us.

Comments are closed.

Blog Categories

Recent posts

How to Run a Multi-Layered Impact Assessment in 2025 (GDPR, DSA, AIA) 10.04.2025 |
AI & GDPR: When Does Model Training Cross the Line? 10.04.2025 |
Top 5 Things the AI Act Changes for Small Companies 01.04.2025 |
DMA Cookie Consent: Essential Guide for Small Businesses (2025) 31.03.2025 |

Need Expert Privacy Advice?

Have questions about GDPR, AI governance, or data privacy compliance? Our experts are ready to assist you. Reach out via phone or email, and let’s secure your business together.

Get Privacy Support Now

Get in Touch with Our Privacy Experts

Schedule a Free Consultation

Looking to enhance your data privacy strategy and achieve GDPR & AI compliance? Our experts are here to guide you with tailored solutions. Contact us today and take the next step toward secure and compliant data practices.

  • 24/7 Support
  • Confidence that you are compliant
  • Regulatory Privacy Compliance

Ready to start your data privacy & AI compliance journey?

Fill in your details below and we will get back to you as soon as possible

    What to Do If You Receive a DSAR – A Practical GDPR Compliance Guide

    What to Do If You Receive a Data Subject Request (DSAR): A Practical Response Plan

    Introduction

    Under the GDPR and UK GDPR, individuals have the right to request access to the personal data your business holds about them. These are known as Data Subject Access Requests (DSARs). While the process sounds straightforward, many companies are underprepared and at risk of non-compliance. This article walks you through the key steps to handle DSARs efficiently and lawfully—without panic, delay, or legal exposure.

    What Is a DSAR?

    A DSAR is a formal request from an individual asking to:
    • Access the personal data you hold on them
    • Understand how their data is being used
    • Request correction or deletion
    • Object to processing or restrict it
    You have one month to respond—and in some cases, up to three months for complex requests. Failure to respond on time or accurately can lead to complaints or regulatory penalties.

    Why DSARs Matter

    • Regulators like the ICO treat DSARs seriously. Mishandling one is often a trigger for wider investigations.
    • Fines can follow even without a data breach if rights are denied or ignored.
    • Responding properly builds trust and demonstrates accountability.

    Step-by-Step DSAR Response Plan

    ✅ 1. Set Up a Clear Intake Process

    • Create a centralised request form or contact email
    • Publish instructions in your privacy policy
    • Ensure the request reaches the right internal contact quickly

    ✅ 2. Verify the Identity of the Requester

    • Ask for proof of identity if needed
    • Be cautious with sensitive personal data disclosures

    ✅ 3. Locate All Relevant Data

    • Search across email, databases, CRMs, and cloud tools
    • Include data held by processors (vendors)

    ✅ 4. Redact Third-Party Information

    • Ensure you don’t disclose personal data about others
    • Use redaction tools where necessary

    ✅ 5. Assemble the Response Pack

    Include:
    • Categories and sources of data
    • Purpose of processing
    • Recipients of the data
    • Retention periods
    • A copy of the personal data itself

    ✅ 6. Respond Within 30 Days

    • Deliver the pack securely (encrypted email or portal)
    • Offer contact details for further questions

    ✅ 7. Log the Request Internally

    • Keep a DSAR register with timestamps, response method, and handler
    • Use this for compliance audits and future reference

    Common Mistakes to Avoid

    • Delaying verification or ignoring ambiguous requests
    • Not training staff on how to escalate DSARs
    • Failing to search across all relevant systems
    • Missing personal data stored in SaaS tools
    • Responding without legal or privacy review

    How We Can Help

    At DPO & Privacy Support, we help organisations: 📘 Need to train your staff on DSAR handling and GDPR basics? Explore our Privacy Training on GDPR, CCPA, AI & Global Regulations. 📄 Unsure if your privacy notices or consent mechanisms are up to date? Review or create your Privacy Notice with expert help. 🌍 Working internationally? Check out our GDPR Compliance Guide for Non-EU Companies. 👤 Need ongoing compliance support? Learn more about our DPO-as-a-Service. 📝 Need help with vendor agreements or SCCs? We draft and review DPAs and data privacy contracts.
    • Build efficient DSAR workflows and secure response templates
    • Train staff to handle requests with confidence
    • Conduct readiness audits to reduce risks
    • Act as your outsourced DPO to manage requests end-to-end
    📩 Need help responding to a DSAR right now? Contact us.

      Thank you for registering!

      Your download is ready, click the button below.