Short answer: A DSAR (Data Subject Access Request) is a request from an individual to access the personal data your company holds about them. Under GDPR, everyone has the right to access their data – and you must respond within 30 days. This requires clear oversight, structured processes, and tools that enable you to locate and deliver data quickly and securely. Proper handling of DSARs is not just a legal obligation – it’s a matter of trust.
Have you received a data subject access request?
Handling data requests access requests involves identifying, evaluating and fulfilling requests for personal data, in accordance with the law. It requires the organisation, storage and security of data, as well as effective communication with the individuals who have requested their information.
This blog describes how you should handle data requests in your company when you receive them. Being able to handle data requests is, according to the GDPR, part of a responsible processing of personal data. If you want to know more about the processing of personal data, click here.
Did you know that rapid response to data breaches can minimise long-term damages and costs associated with customer churn and lost trust?
- www.ponemon.org
What is a data subject access request (DSAR)?
Data subject access requests (DSARs) are requests a person (data subject) can make to an organisation (data controller) regarding their personal data. We will also use the terms “data request” and “privacy request” when talking about the variety of requests people may make to exercise their rights under the GDPR and other global data privacy laws.
Start your privacy cleanup with the big picture
A GDPR Risk Assessment gives you a complete overview of files containing privacy risk in your company.
Types of data subject access requests
Data access requests could potentially come from customers, leads, partners, vendors, employees — anyone you have dealt with in the course of your business. Privacy regulations make it very easy for people to make such requests, putting the burden of tracking and responding to them on your company. Someone can simply ask about their data in an email or even in a chat box, saying something like:
- “Please delete my data.”
- “I’d like to know what personal data of mine you have.”
- “I’m changing [insurance providers/suppliers/etc.], please send all my personal data.”
The requests above may appear casual, but they are all official and valid DSARs, and your company is required to respond to them formally within a set period of time (usually 30 days).
How can you make sure you never miss a request?
- Put a request portal on your website to organise and track incoming requests automatically.
- Learn to recognise different types of data requests that are considered legally binding.
The requests your company must respond to include:
- Insight requests: A person can ask you how their data is being collected, used, stored, and whether it is being shared.
- Access requests: A person can ask you for a complete copy of all data you store about them.
- Rectification requests: A person can ask you to make changes or correct errors in their data.
- Transfers (data portability): A person can ask you to transfer their data to another company or another third party.
- Deletion requests: A person can request “to be forgotten”, in which case you must delete all their data.
- Requests to limit processing: A person can ask you to limit what you do with their data in a specific way.
- Opt-out/objection requests: The CCPA allows people to “opt-out”, restricting you from selling their data. Most laws let people object to other uses of their data.
Get our Newsletter!
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
How to handle DSARs
Each time someone submits a DSAR, you must respond to it promptly, usually within 30 days. This can put quite a strain on your company’s resources, taking time, money, and attention away from other projects. Let’s consider what you can do to make the whole data request process smoother, from start to finish. Here is a step-by-step guide with best practices for handling DSARs:
1. Collect all requests in one place
Privacy rules don’t specify how requests should be made. To avoid fielding requests by phone, email, DM, etc., set up a standard place on your website for people to make requests. We suggest adding a request link to your privacy policy.
2. Log each request you receive
Keep track of each request you receive, noting when it is due, and who should respond to it. This will help you respond on time, and then demonstrate your compliance to the authorities.
3. Verify the requestor’s identity
You must make sure you only send personal data to its true owner. Stop fraud and identity theft by verifying each requester’s identity first thing, before proceeding with fulfillment.
4. Notify the person that you have received their request
Acknowledge the request with a brief response that explains how you will respond and when. This initial response is a good practice to build trust and is required under some regulations. For example, the CCPA requires you to confirm receipt of requests within 10 business days.
5. Set up reminders for your team to respond on time
Failing to respond on time to data requests brings expensive fines and brand damage that is difficult to recover from. The assumption is, if your response isn’t forthcoming, you may have something to hide. Make sure the assigned person(s) knows when the request is due.
6. Find and sort the person’s data to prepare your response
Find and organise all the personal data you store about the requestor. This is a time-consuming and risky process if done manually; spreading the data around to too many systems and team members could put it at risk of breach.
7. Export the data in the right format
If data needs to be sent back to the requestor or forwarded to a third party, you should send it in a commonly used, machine-readable format.
8. Delete data thoroughly
When you get a request “to be forgotten” or to delete a person’s data, you must identify and delete that person’s data across all systems and employees AND all third-party vendors and partners with whom the personal information has been shared.
FAQ about data subject access requests
1. How do we know if a data request is valid?
You’re allowed to verify the identity of the person making the request – especially if sensitive data is involved. However, the process must not be unreasonably difficult or obstructive.
2. Can we reject a data access request?
In specific cases – for example, if the request is clearly unfounded or excessive – you may reject it. But you must provide a clear justification and inform the individual of your decision.
3. Do we need to provide all data when receiving a DSAR?
You must provide all data related to the individual – unless it would infringe on the rights of others. In that case, you can anonymise or withhold specific information.
4. How should we handle repeated DSARs?
If a similar request was recently fulfilled and no relevant changes have occurred, you may refuse to process the new request – but you must be able to document your reasoning.
The smart way to handle data access requests
Ignoring or mishandling data subject access requests (DSARs) can have serious consequences – both legally and for your company’s reputation. When personal data is scattered across multiple systems and departments, the risk of errors and data breaches increases, especially if you rely on manual processes. Even when handled correctly, DSARs are time-consuming and resource-intensive.
An automated solution is far more efficient. With a dedicated DSAR portal, you can receive, process, and document requests securely and systematically – without wasting time or exposing data. At Safe Online, we’ve developed RequestManager, a tool that makes it easy to manage requests in full compliance with GDPR.
Learn more
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
