Complying with Data Subject Access Requests: A Detailed Guide for Organizations

The detailed steps that a company can take to ensure that it is complying with DSAR

Complying with Data Subject Access Requests: A Detailed Guide for Organizations
Photo by FLY:D / Unsplash

As an organization, it's important to have a clear and effective process in place for handling data subject access requests (DSARs). DSARs are requests made by individuals for access to their personal data that is held by an organization, and they are typically made under the provisions of data protection legislation, such as the General Data Protection Regulation (GDPR) in the European Union or the California Consumer Privacy Act (CCPA) in California, United States.

Under these laws, individuals have the right to request and receive a copy of their personal data, as well as information about how their data is being used and who it has been shared with. This enables individuals to understand and exercise their rights in relation to their personal data, including the right to object to its processing, the right to request its rectification or erasure, and the right to withdraw their consent for its processing.

Organizations have a legal obligation to respond to DSARs within a certain timeframe and to provide the requested information in a clear and concise manner. If an organization fails to respond to a DSAR or fails to provide the requested information, the individual may have the right to file a complaint with the relevant regulatory authority or to seek legal remedies.

In this article, we'll provide a detailed guide on how to comply with DSARs, including steps to take when receiving a request, gathering and reviewing the relevant information, and preparing and responding to the request.

Step 1: Establish a process for handling DSARs

It's important to have a clear process in place for receiving and responding to DSARs. This should include identifying the appropriate team members to handle the request, determining the relevant information to be provided, and establishing a timeline for responding to the request.

It's a good idea to designate a dedicated team or individual to handle DSARs, as they will be responsible for managing the request from start to finish. This team or individual should have a thorough understanding of the organization's data protection policies and procedures, as well as the relevant laws and regulations governing DSARs.

Step 2: Understand the scope of the request

It's important to carefully review the DSAR to understand exactly what information the individual is requesting. This will allow the organization to identify any potential challenges or issues that may arise in fulfilling the request.

The scope of the DSAR may be broad or specific, and it's important to carefully review the request to ensure that all relevant information is included in the response. In some cases, it may be necessary to clarify the scope of the request with the individual making the request if it is not clear from the initial request.

Step 3: Gather and review the relevant information

Once the scope of the request has been determined, the organization should gather and review all relevant personal data in its possession or control. This may include information stored in electronic databases, as well as physical records.

It's important to carefully review all the relevant information to ensure that it is complete and accurate. If any errors or discrepancies are identified, it's important to take steps to correct the information before responding to the DSAR.

Step 4: Consider any legal exemptions or limitations

In some cases, an organization may be permitted to withhold or redact certain information in response to a data subject access request (DSAR). This could include information that is subject to legal privilege, that relates to the personal data of another individual, or that could cause harm to the organization's legitimate interests.

It's important to carefully review any applicable laws or regulations to determine if any exemptions or limitations apply to the DSAR. If any exemptions or limitations are identified, the organization should consider whether they are applicable and, if so, how they should be applied in the response to the DSAR.

It's also important to provide clear and concise explanations for any exemptions or limitations applied in the response to the DSAR. This will help the individual making the request understand why certain information has been withheld or redacted, and will demonstrate the organization's commitment to transparency.

Step 5: Prepare and respond to the request

Once the relevant information has been gathered and reviewed, and any applicable exemptions or limitations have been considered, the organization is ready to prepare and respond to the DSAR.

It's important to clearly and concisely communicate the information provided in the response, and to be transparent about any exemptions or limitations that have been applied.

The response should be provided in the format requested by the individual, or in a format that is readily accessible to them. If the individual has requested that the information be provided electronically, it's a good idea to include clear instructions on how to access the information.

Step 6: Keep records of the DSAR and the response

It's important to keep records of the DSAR and the response, including any information that was provided or withheld, as well as any exemptions or limitations that were applied. These records should be kept for a reasonable period of time in case the individual or a regulatory authority has any questions about the response.


By following these steps, organizations can effectively and efficiently comply with DSARs and demonstrate their commitment to data privacy and transparency. It's important to remember that responding to DSARs is a legal obligation, and failure to do so may result in legal consequences. By establishing a clear and effective process for handling DSARs, organizations can ensure that they are meeting their obligations and protecting the rights of their customers.