How to handle a data subject access request (DSAR)

A data subject access request, or DSAR, is when a person asks you what personal data you hold about them and what you do with it. Under the GDPR it is the right of access, and similar rights exist under the CCPA, the DPDPA and most modern privacy laws. The request can also extend to deletion, correction or portability depending on the law and what the person asks for.

DSARs can arrive by any channel: an email, a web form, a support ticket, even a verbal request. That is why the first job is to recognize one when it appears and route it into a defined process rather than letting it sit in an inbox.

The legal deadline starts when the request is received, not when someone gets around to it. So the moment a DSAR arrives, log it with the date, the requester, and what they asked for. This timestamp anchors your SLA, 30 calendar days under the GDPR and 45 days under the CCPA, both extendable in limited circumstances.

A central intake, rather than scattered emails, is what keeps you from missing a deadline. ConsentX runs an SLA timer per request so the clock is visible and overdue requests surface before they become a problem.

Before you hand over personal data, you must be reasonably sure the requester is who they claim to be, otherwise you risk disclosing someone's data to an impostor. Use proportionate verification: confirm control of the account or email on file rather than demanding excessive new documents, which itself can be a privacy problem.

Time spent on reasonable verification can pause the clock in some regimes, but do not use verification as a stalling tactic. Keep it quick and proportionate to the sensitivity of the data involved.

This is usually the hardest part. Personal data about one person can live in your product database, your CRM, your support tool, your analytics, your email marketing platform and your backups. A DSAR is only complete if it covers all of these, so maintain a map of where personal data sits and who owns each system.

Search each location for the requester's identifiers, then collect what you find. If you process data through vendors, you may need to ask them too, which is why knowing your processors matters.

Before responding, review what you gathered. Some data may be exempt, and some may reveal information about other people, which you generally must redact to protect their privacy. You also confirm that what you are about to disclose is accurate and complete.

Document the decisions you make here. If you withhold something under an exemption, note why, so your reasoning is on record if the request is later challenged.

Deliver the response within the deadline, in a clear and accessible format, securely. For an access request that means a copy of the data and an explanation of the purposes, recipients and retention. For a deletion request it means confirming what was erased.

Finally, keep a record of the whole handling: when it arrived, how you verified, what you searched, what you disclosed or withheld and why, and when you responded. That record is your proof of compliance and turns each DSAR into defensible evidence rather than a one-off scramble.