Blog

How to Create an Effective DSAR Response Process

The cornerstone of many new privacy regulations—and therefore, the source of many of the struggles and challenges that companies face—are individual requests for access to the information that a business or organisation has on them.

Privacy, as a topic, is very much in focus right now. Regulations like the EU’s General Data Protection Regulation (GDPR) and the U.S.’s California Consumer Privacy Act (CCPA) have already had a major impact on organizations—and the CCPA only recently came into effect.

At the core of these regulations—and the source of many organizational challenges—are individual requests for access to personal data. For example, London-based pharmacy Doorstep Dispensaree became one of the first UK organizations penalized under GDPR, receiving a £275,000 fine for failing to provide adequate information to data subjects, violating Articles 13 and 14.

What is a DSAR (Data Subject Access Request)?

A key feature of privacy regulations is that they allow individuals to access the personal data organizations hold about them. These requests, known as Data Subject Access Requests (DSARs), require organizations to produce that information and, in many cases, allow for remediation such as deletion.

In the EU, many companies are still catching up with GDPR compliance. While they understand the need to avoid significant fines (up to €20 million or 4% of annual global turnover), many lack a complete data inventory or a defined workflow to handle DSARs. In the U.S., organizations have some time before full enforcement of the CCPA, but they must begin building robust data inventories now. Without a comprehensive data inventory, complying with privacy laws is nearly impossible.

Once a data inventory is in place, organizations can follow these steps to fulfill a DSAR:

Step 1 – Identify the Data Subject’s Identity

Considerations:

How is the individual making the request?
How will you verify their identity?
Can the process be automated?

Organizations must ensure each request is legitimate. Identity verification can involve confirming personally identifiable information (PII), using account security questions, validating government-issued IDs, or verifying organization-specific data such as banking details.

Step 2 – Confirm the Request and Route It

To route the request correctly, you must clearly understand what information is being requested. If unclear, confirm with the individual. Then direct the request to the appropriate team—whether a dedicated DSAR team or a responsible department.

Step 3 – Gather the Necessary Information

Considerations:

Is your data inventory up to date?
How will you collect data from all enterprise systems?

If your organization has an up-to-date data inventory and tools that integrate with systems like Office 365 or Gmail, this step can be efficient. Without such tools, requests often require manual coordination with IT, increasing time and effort.

Step 4 – Review and Package the Data

Considerations:

How will you redact sensitive or third-party PII?
Does your process align with legal and regulatory obligations?
Can you format the data as requested?

This is often the most resource-intensive step. The collected data must be reviewed to ensure accuracy and to remove privileged or sensitive information before delivery.

Step 5 – Add Supporting Information

Providing documentation that confirms all requested data has been delivered can help protect your organization. This creates an audit trail in case of future disputes or litigation. A well-maintained data inventory also supports this process.

Step 6 – Deliver the Data Securely

Considerations:

Can you deliver the data securely?
How will you notify the data subject?
Do you have a process to formally close the request?

Once reviewed, the data should be securely delivered—either via an encrypted transfer or a secure portal. After delivery, ensure the request is formally closed and relevant internal teams are notified.

‍