Data Subject Access Requests (DSARs): The Complete Guide

What Is a Data Subject Access Request?

A DSAR is a request from an individual to see what personal data your organization holds about them. Under GDPR, it's one of the most fundamental data subject rights (Article 15). Under CCPA, it's the "Right to Know."

Any individual whose data you process can submit a DSAR — customers, employees, website visitors, or job applicants. And you can't ignore them. Failure to respond properly is one of the most common reasons organizations face regulatory complaints.

Legal Requirements at a Glance

GDPR

Response deadline: 30 days from receipt (extendable to 90 days for complex requests)

Format: Must be provided in a commonly used electronic format if requested electronically

Cost: Free for reasonable requests. You can charge a "reasonable fee" for manifestly unfounded or excessive requests

What to include: All personal data, processing purposes, categories of data, recipients, retention periods, data source, and existence of automated decision-making

CCPA

Response deadline: 45 days from receipt (extendable to 90 days with notice)

Format: Portable and readily usable format

Cost: Free (up to two requests per 12-month period)

What to include: Categories of personal information collected, specific pieces of data, sources, business purposes, and categories of third parties shared with

Step-by-Step DSAR Process

Step 1: Receive the Request

DSARs can arrive through any channel — email, phone, web form, social media, even verbal requests. Your team needs to recognize them even when the person doesn't use formal language. "Can you tell me what data you have on me?" is a valid DSAR.

Best practice: Create a dedicated intake point (privacy@company.com or a web form) and train all customer-facing staff to route requests there.

Step 2: Log and Acknowledge

Within 1-3 business days of receiving a request:

Log the request with: date received, requestor name/email, channel received through, type of request

Send an acknowledgment confirming receipt and expected timeline

Assign an owner within your team

Acknowledgment template:

Subject: Your Data Access Request — Received

>

Dear [Name],

>

We've received your data access request submitted on [date]. We'll process this within 30 days and provide you with a complete response.

>

If we need any additional information to verify your identity or clarify your request, we'll reach out promptly.

>

Reference number: [DSAR-YYYY-NNN]

>

Privacy Team, [Company Name]

Step 3: Verify Identity

You must verify the requestor is who they claim to be — responding to the wrong person would itself be a data breach.

Proportionate verification methods:

If they're a registered user: Ask them to submit the request while logged in, or confirm account details

If they're not a registered user: Request enough identifying information to match them in your systems (name + email + one additional identifier)

Don't over-collect: Only request the minimum information needed for verification

Step 4: Gather the Data

This is typically the most time-consuming step. You need to search across all systems where their data might exist:

CRM (Salesforce, HubSpot, etc.)

Email/communication history

Support tickets

Marketing platforms

Analytics (if identifiable)

Payment/billing systems

HR systems (if employee)

Backups and archives

Third-party processors

Common challenges:

Data spread across dozens of systems

Unstructured data (emails, notes, documents)

Data in different formats

Unclear data ownership between teams

This is where automation pays for itself. PrivaBase's DSR management tools can automatically search across connected systems, compile results, and generate responses — turning hours of work into minutes.

Step 5: Review and Redact

Before sending, review the compiled data for:

Third-party data — If the request reveals another person's data (e.g., an email thread), you must redact the third party's information

Legal privilege — In rare cases, some data may be exempt (ongoing litigation, trade secrets)

Accuracy — Verify the data is complete and correctly attributed

Step 6: Deliver the Response

Provide the data in a clear, structured format:

Response structure:

Summary of processing activities

Categories of data held

Purposes of processing

Recipients and third parties

Retention periods

Data sources

Rights reminder (deletion, correction, objection, complaint to supervisory authority)

The actual data (as attachment or secure download)

Format options:

PDF report with structured sections

CSV/JSON for structured data (portability-friendly)

Secure download link (don't email large data files unencrypted)

Step 7: Close and Document

After delivering the response:

Log the completion date

Record what was provided

Note any exemptions applied and why

Retain the DSAR record for at least 3 years (GDPR recommends documenting compliance)

Handling Difficult DSAR Scenarios

"I Want Everything You Have on Me"

This is the default scope. You must provide all personal data unless a specific exemption applies. Don't ask requestors to narrow their scope — but you can ask clarifying questions to process the request efficiently.

Excessive or Repeated Requests

Under GDPR, you can charge a reasonable fee or refuse "manifestly unfounded or excessive" requests. This is a high bar — regulators expect you to fulfill most requests. Document your reasoning if you refuse.

Under CCPA, you only need to fulfill two requests per consumer per 12-month period.

Requests from Employees

Employee DSARs can be complex because they often involve HR records, performance reviews, emails about the employee, and internal discussions. The same rights and timelines apply, but redaction of third-party data is more involved.

Requests Involving Other People's Data

If fulfilling a DSAR would reveal another person's data, you must balance both parties' rights. Typically: redact the third party's information unless they consent to disclosure.

Can't Find Any Data

If you genuinely hold no data on the requestor after a thorough search, inform them of this. You've still fulfilled the request.

Building an Efficient DSAR Process

For Low Volume (< 5 requests/month)

Dedicated email inbox

Spreadsheet tracker

Manual data gathering with a documented checklist per system

Template responses

For Medium Volume (5-50 requests/month)

Web intake form with automated acknowledgment

Ticketing system (or dedicated DSR tool)

Semi-automated data gathering

Response templates with standardized data formats

For High Volume (50+ requests/month)

Automated intake and identity verification

API-based data gathering across systems

Automated response generation

PrivaBase's DSR automation handles the full lifecycle: intake → verification → data gathering → redaction → response → documentation

Key Metrics to Track

Average response time — Are you meeting the 30/45-day deadline?

Requests per month — Trending up or down?

Time to complete — Where are bottlenecks?

Exemptions applied — Are you using them appropriately?

Requestor satisfaction — Do people follow up with complaints?

Key Takeaways

DSARs are a legal obligation, not optional — failing to respond properly is a regulatory complaint waiting to happen

Identity verification is critical — responding to the wrong person creates a new breach

The biggest time sink is gathering data across systems — automate this first

Keep meticulous records of every request and response

Build your process before the volume hits — PrivaBase makes this easy even for small teams

Treat DSARs as a trust signal — responding well builds customer confidence