Data Subject Access Requests (DSARs) are one of the most frequently exercised rights under the GDPR and similar privacy laws worldwide. When an individual asks to see the personal data your organisation holds about them, you must respond accurately, completely and within strict deadlines. A poorly handled DSAR can lead to regulatory complaints, enforcement action and reputational damage.
What Is a DSAR?
A DSAR is a request made by an individual — known as the data subject — to obtain a copy of the personal data an organisation holds about them. Under Article 15 of the GDPR, individuals also have the right to know the purposes of processing, the categories of data held, the recipients of their data, the retention period and the source of the data if it was not collected directly.
DSARs can be submitted in any format — email, letter, social media, verbally or even via a third party acting on behalf of the data subject. Organisations cannot insist on a specific format or channel.
DSAR Timelines and Deadlines
Under the GDPR, organisations must respond to a DSAR within one calendar month of receipt. This deadline can be extended by a further two months for complex or voluminous requests, but the data subject must be informed of the extension and the reasons within the initial one-month period.
Under Singapore's PDPA, the timeline is 30 days with a possible 30-day extension. Regardless of jurisdiction, prompt action is essential. Establish internal SLAs that give your team sufficient time to locate, review and compile the data before the external deadline.
Identity Verification
Before disclosing personal data, you must verify the identity of the requester to prevent unauthorised disclosure. However, verification measures should be proportionate. For existing customers making a request through their registered email, additional verification may not be necessary. For requests from unknown individuals or third parties, you may request a copy of government-issued ID or ask security questions.
Avoid over-collecting personal data for verification purposes. Only request the minimum information needed to confirm the requester's identity.
Searching for and Compiling Data
A thorough DSAR response requires searching all systems where personal data may be stored. This includes databases, CRM systems, email inboxes, shared drives, backup systems, paper files and third-party platforms. Using a Data Protection Manager with a comprehensive data inventory makes this process significantly more efficient.
Key steps in the search process include:
- Consulting your Records of Processing Activities (ROPA) to identify all systems containing personal data
- Searching structured databases using unique identifiers
- Searching unstructured data sources such as email and shared drives
- Contacting third-party processors who may hold data on your behalf
- Reviewing archived and backup data if within retention periods
Exemptions and Redactions
Not all data must be disclosed in a DSAR response. Several exemptions allow organisations to withhold certain information:
- Third-party data: You must not disclose personal data about other identifiable individuals without their consent, unless it is reasonable to do so
- Legal privilege: Data protected by legal professional privilege is exempt
- Confidential references: References given in confidence for employment purposes may be withheld
- Management forecasting: Data relating to management planning that would be prejudiced by disclosure
- Crime and taxation: Data processed for crime prevention or tax collection purposes where disclosure would prejudice those objectives
When redacting information, document your reasoning clearly. Keep a record of what was withheld and why, in case of subsequent complaints to the supervisory authority.
Responding to the Data Subject
The response should be clear, concise and in an accessible format. Provide the data electronically if the request was made electronically. Include supplementary information required by Article 15(1), such as the purposes of processing, categories of data, recipients, retention periods and the source of data.
The response must be provided free of charge. However, a reasonable fee can be charged if the request is manifestly unfounded or excessive, or if the data subject requests additional copies.
Handling Excessive or Unfounded Requests
The GDPR allows organisations to refuse or charge a fee for requests that are manifestly unfounded or excessive. This might include repeated requests from the same individual with no reasonable interval, or requests clearly intended to cause disruption. However, the burden of demonstrating that a request is unfounded or excessive falls on the organisation, so exercise this power cautiously and document your reasoning.
Automating the DSAR Process
As DSAR volumes grow, manual processing becomes unsustainable. Consider automating key aspects of the workflow:
- Intake and tracking: Use a centralised system to log, assign and track all DSARs through to completion
- Identity verification: Implement standardised verification procedures with clear decision trees
- Data discovery: Leverage data mapping and inventory tools to speed up search across systems
- Review and redaction: Use templates and redaction tools to streamline the review process
- Response generation: Automate response letters with pre-approved templates
A comprehensive data protection platform can manage the entire DSAR lifecycle from receipt to response, ensuring nothing falls through the cracks.
Record Keeping and Audit Trails
Maintain detailed records of every DSAR received, including the date of receipt, steps taken to verify identity, systems searched, data disclosed, data withheld with reasons, and the date of response. This audit trail is essential for demonstrating compliance to supervisory authorities and defending against complaints.
Your Data Protection Officer should regularly review DSAR handling procedures to ensure they remain effective and compliant. Consider conducting periodic audits with DPO support to identify areas for improvement.
Common DSAR Pitfalls to Avoid
- Missing the response deadline — set internal reminders well before the external deadline
- Failing to search all data sources — incomplete responses invite complaints
- Over-redacting information without proper justification
- Disclosing third-party personal data without appropriate safeguards
- Insisting on specific request formats when the law does not require this
- Failing to recognise a DSAR when it is phrased informally
Conclusion
Handling DSARs effectively requires a combination of clear procedures, trained staff and the right technology. By investing in a structured approach, organisations can respond to access requests efficiently while minimising compliance risk. Regular training, comprehensive data inventories and automated workflows are the keys to scaling your DSAR process as volumes increase.