How to Handle Data Subject Access Requests (DSARs) — Step by Step

Under GDPR Article 15, any individual has the right to obtain confirmation of whether their personal data is being processed, and if so, to receive a copy of that data along with supplementary information about how it's being used. This is called a Data Subject Access Request (DSAR), and it's one of the most operationally challenging aspects of privacy compliance.

DSARs can arrive at any time, from any channel — email, web forms, social media, even verbal requests. You have one month to respond. Miss that deadline, and you're looking at potential regulatory action. Handle it poorly, and you risk exposing other people's data in the response. This guide walks you through the entire process, from intake to delivery.

What Triggers a DSAR?

A DSAR can be submitted by any data subject — a customer, employee, website visitor, job applicant, or any other individual whose personal data you process. There's no required format. A DSAR doesn't need to mention "GDPR" or "Article 15" or use any specific language. An email saying "I want to know what data you have on me" is a valid DSAR.

Common scenarios that trigger DSARs:

• Individuals exercising their rights — Aware consumers who want to understand how their data is used
• Pre-litigation discovery — Employees or former employees requesting data before filing legal claims (especially common in employment disputes)
• Advocacy groups — Organizations testing compliance by filing systematic DSARs
• Curiosity — People who read about privacy rights and want to see what companies know about them
• Competitor intelligence — Sometimes used to understand a competitor's data practices (though this isn't the intended purpose)

Step 1: Recognize and Log the Request

The first challenge is recognizing a DSAR when you receive one. Since there's no required format, DSARs can arrive as customer support tickets, emails to generic inboxes, DMs on social media, or even verbal requests to staff members.

Every customer-facing team member should be trained to recognize a DSAR. When one arrives:

• Log it immediately in your DSAR tracking system
• Record the date received (this starts your response clock)
• Note the channel it came through
• Assign a unique reference number
• Acknowledge receipt to the requester

The one-month response deadline starts from the day you receive the request — not from when you acknowledge it, verify identity, or assign it to someone. Delayed logging means a shorter effective response window.

Step 2: Verify the Requester's Identity

Before disclosing any personal data, you must verify that the person making the request is who they claim to be. Disclosing data to the wrong person is itself a data breach — so identity verification is critical.

The verification method should be proportionate to the sensitivity of the data and the risk of unauthorized access:

• Existing authenticated channels — If the request comes from a verified email address associated with their account, or through an authenticated portal, additional verification may not be needed
• Knowledge-based verification — Ask the requester to confirm information only they would know (account details, recent transactions)
• Document-based verification — For sensitive data, request a copy of government-issued ID. But be mindful of data minimization — don't collect more ID information than necessary

Important: You cannot use identity verification as a stalling tactic. If you already hold enough information to confirm the requester's identity (e.g., they emailed from their registered email address), requesting additional ID is unreasonable and could be seen as obstructing the request.

Step 3: Determine Scope and Feasibility

Once identity is verified, determine the scope of the request. Data subjects can request:

• Confirmation that their data is being processed
• A copy of their personal data
• Information about: purposes of processing, categories of data, recipients/categories of recipients, retention periods, the source of the data (if not collected directly), the existence of automated decision-making

At this stage, assess whether any exemptions apply. You may be able to refuse or limit a response if:

• The request is "manifestly unfounded or excessive" (e.g., repetitive requests with no new purpose) — but the bar for this is very high
• Responding would adversely affect the rights and freedoms of others (e.g., the data is intertwined with another person's data)
• Legal privilege applies
• The data relates to ongoing legal proceedings

If you're refusing or limiting a response, you must inform the requester of the reasons and their right to complain to a supervisory authority.

Step 4: Locate and Collect the Data

This is typically the most time-consuming step. Personal data often lives in multiple systems:

• Primary databases — Your main application database, CRM, ERP
• Communication systems — Email, chat logs, support tickets, call recordings
• Analytics platforms — Google Analytics, Mixpanel, Amplitude (behavioral data tied to the individual)
• Third-party processors — Payment providers, email marketing platforms, cloud storage
• Backup systems — Archived data that may still contain personal information
• Physical records — Paper files, printed documents, handwritten notes
• Employee systems — HR platforms, payroll, performance reviews (for employee DSARs)

Without a comprehensive data map, this step becomes a nightmare. You're essentially searching across every system in your organization for any data that relates to a specific individual. This is why data mapping is a foundational compliance requirement — not just a documentation exercise.

Step 5: Review and Redact

Before delivering the data, review it carefully for:

• Third-party data — The response may contain information about other individuals. You must redact this to protect their privacy. E.g., an email thread between the requester and another person may contain the other person's opinions or personal details.
• Privileged information — Legal advice, internal legal assessments, or data subject to legal professional privilege can be withheld.
• Trade secrets — Proprietary algorithms or business logic that constitutes a trade secret may be exempt, but you can't use this to refuse the entire request.
• Accuracy — Ensure the data you're providing is complete and accurate. Providing incomplete data is itself a violation.

This review process is where manual DSARs consume the most resources. A single employee DSAR can involve reviewing thousands of emails, documents, and system records.

Step 6: Compile and Deliver the Response

Package the response in a clear, accessible format:

• Format — Provide data in a commonly used, machine-readable format (e.g., CSV, JSON, PDF). GDPR specifically requires this for the right to data portability.
• Supplementary information — Include the required contextual information: purposes of processing, categories of data, recipients, retention periods, source of data, and information about their other rights.
• Secure delivery — Use encrypted email, a secure download portal, or another method that protects the data in transit. Sending sensitive personal data via unencrypted email is a security risk.
• Cover letter — Include a cover letter explaining what's included, any exemptions applied, and the requester's right to lodge a complaint with a supervisory authority.

Timeline Requirements

Under GDPR:

• Standard deadline: 1 month from receipt of the request
• Extension: up to 2 additional months for complex or numerous requests — but you must inform the requester within the first month and explain the delay
• Cost: free for the first copy. You can charge a "reasonable fee" for additional copies or manifestly unfounded/excessive requests

Under CCPA:

• Acknowledge within 10 business days
• Respond within 45 calendar days, with a possible 45-day extension
• Cost: free

Common Mistakes

1. Missing the Deadline

The most common and most avoidable mistake. Without a tracking system, requests slip through the cracks. By the time someone realizes a DSAR was received three weeks ago, there's barely time to respond.

2. Over-collecting Identity Documentation

Requesting a passport copy from someone who emailed from their registered account is disproportionate. It annoys the requester and adds unnecessary data processing to your obligations.

3. Incomplete Data Collection

Searching only your primary database and missing data in email archives, analytics platforms, or third-party systems. A partial response is a violation.

4. Failing to Redact Third-Party Data

Accidentally including another person's data in the response is a data breach. Every response needs careful review before delivery.

5. Ignoring Verbal Requests

A DSAR doesn't have to be in writing. If a customer asks a support agent on the phone "what data do you have on me?", that's a valid DSAR that needs to be logged and processed.

6. Applying Exemptions Too Broadly

The "manifestly unfounded or excessive" exemption is very narrow. Regulators take a dim view of organizations that routinely refuse DSARs. When in doubt, comply.

Automating DSARs

Manual DSAR handling doesn't scale. At low volumes, you might manage with spreadsheets and email. But as your user base grows — or if you operate in a regulated industry where DSARs are more common — manual processes break down.

Automation can help at every stage:

• Intake — Self-service portals where data subjects can submit and track requests, with automatic identity verification for authenticated users
• Data collection — API integrations that automatically query all relevant systems and compile data into a single response package
• Review — AI-assisted redaction that flags potential third-party data for human review
• Delivery — Secure, automated delivery through encrypted channels with audit trails
• Tracking — Dashboard showing all active requests, deadlines, and completion status

How PrivaBase Handles DSARs

PrivaBase provides end-to-end DSAR automation. When a request comes in — through our embeddable request portal, API, or manual entry — it's automatically logged, tracked, and routed through your configured workflow.

Our platform connects to your data sources via API, automatically collects relevant personal data, flags items needing human review, and generates compliant response packages ready for secure delivery. Every step is audit-logged, every deadline is tracked, and your team gets alerts before anything goes overdue.

For organizations handling more than a few DSARs per month, automation isn't a luxury — it's a necessity. The time saved on each request compounds quickly, and the risk reduction from consistent, auditable processes is invaluable.