A data subject access request (DSAR) is one of those GDPR obligations that sounds manageable in theory — until someone actually sends you one and you realise you have no idea where to start, what data you hold, or what the deadline actually is.
This guide gives you a concrete, step-by-step process for handling DSARs. Not theory. The actual workflow.
"30 calendar days. Not business days. Do not let this slip past you."
What Is a DSAR, Exactly?
A Data Subject Access Request is any request from an individual asking to know what personal data you hold about them, why you hold it, who you share it with, and how long you keep it. They can also:
- Request a copy of the data you hold
- Ask you to correct inaccurate data (rectification)
- Ask you to delete their data (right to erasure)
- Restrict how you use their data
- Request their data in a portable, machine-readable format
Requests don't have to use specific magic words. "I want to see everything you know about me" is a valid DSAR. So is an email from a former employee asking "what personal data do you still hold on me?" You don't have to accept a subject access request form — if someone makes the request verbally or casually, it still counts.
The 30-Day Clock
You have one month (30 calendar days) from the date you receive the request to respond. If the request is complex, you can extend this by a further two months — but you must tell the requester within the first 30 days that you're extending the deadline and why.
The clock also doesn't pause over holidays or bank holidays. This catches people out more often than you'd think.
The Step-by-Step Workflow
Step 1 — Log the request immediately
Record the date received, how it arrived (email, form, verbal), and the identity of the requester. This is your evidence that you started the clock on the right day.
Step 2 — Verify identity
You must not hand over personal data to the wrong person. If you have reasonable doubt about the requester's identity, ask for verification. Don't ask for disproportionate proof — a recent order reference or account details may be enough for a customer.
Step 3 — Acknowledge receipt
Send a brief confirmation: you've received their request, you'll respond by [date], and here's your reference number. This is good practice even if not strictly required.
Step 4 — Search all data sources
Check your CRM, email platform, ticketing system, HR platform, cloud storage, backups, and any other systems that might hold personal data. Document where you searched and what you found — even if you found nothing in a particular system.
Step 5 — Identify and apply any exemptions
Some data may be legitimately withheld — data relating to third parties, legally privileged information, ongoing criminal investigations, or commercially confidential data. Document your reasoning for any exemptions you apply.
Step 6 — Compile and redact
Compile the responsive data into a clear, structured response. Redact any third-party personal data. If you're providing a copy of an email chain, for example, redact other people's email addresses and names.
Step 7 — Respond
Provide the response securely — password-protected file, secure upload link, or encrypted email. Include a cover letter explaining what categories of data you've provided, what you've withheld and why, and how the individual can complain to your supervisory authority if they're unhappy.
Step 8 — Close and archive
Record the outcome in your DSAR log: date of response, what was provided, any exemptions applied, and whether the extension was used. Keep this record for at least three years.
When Can You Refuse?
You can refuse a DSAR in limited circumstances — specifically if it's "manifestly unfounded or excessive." This is a high bar. Regulators are sceptical of blanket refusals on these grounds. If you refuse, you must tell the individual in writing within one month and explain their right to complain to the supervisory authority.
What About Staff DSARs?
Former employees making DSARs is one of the most common patterns in practice, particularly in contentious situations. The same rules apply: 30 days, carry out a reasonable search, provide what you hold, apply legitimate exemptions. The fact that the person is a former employee does not change their rights.
Note that performance review documents, disciplinary notes, and HR correspondence are all personal data that a former employee can request access to.
Set up an email alias like privacy@yourdomain.com that
routes to whoever handles compliance. Even if that's just you, having a dedicated channel makes it impossible to
accidentally lose a DSAR in a generic inbox.
Building a Repeatable Process
The companies that handle DSARs well aren't the ones that scramble each time — they're the ones with a defined process written down in advance. At minimum, you need:
- A log or register where every DSAR is recorded with its deadline
- A list of every system that holds personal data (your RoPA is the starting point)
- A response template that covers the required information
- Clarity on who is responsible for coordinating the response internally
Our DSAR module handles all of this automatically — logging requests, tracking deadlines, assigning tasks to the right team members, and maintaining a complete audit trail of every action taken.
Never miss a DSAR deadline again
GDPR Compliance Hub — Starter Plan
Full DSAR management with automated deadline tracking. From €19/month.
View pricing