What is a Data Subject Access Request (DSAR)?

Definition of Data Subject Access Request (DSAR)

A data subject access request (DSAR) is a formal request made by an individual to a company, asking for access to the personal data that the company holds about them. DSAR requirements vary based on the regulation, but in general terms, they provide individuals with the right to access, correct, and port their data, as well as opt out of the collection process and request that the data be deleted.

The DSAR process is a fundamental aspect of privacy rights. Companies are required to provide a transparent overview of the personal data being processed.

Understanding DSAR

Data privacy regulations introduced in recent years have given individuals more control over their personal information. Their rights include knowing what data companies hold about them and why through a provision called a data subject access request. Employees of enterprises that handle private information should understand how a DSAR might impact operations.

Individual access rights have long been recognized as a key mechanism for individuals to learn what type of data organizations process about them. The European Union’s General Data Protection Regulation (GDPR) expanded these rights, referring to individuals as “data subjects”, hence the DSAR terminology. Since then, similar rights have been incorporated into other privacy laws, including the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act (CPA).

Why Data Subject Access Requests are important

Data subject access requests are a fundamental component of modern data privacy laws, such as the GDPR and CCPA, and a key element of maintaining compliance and protecting individuals' privacy. However, the importance of DSARs extends beyond compliance. DSARs are pivotal for building trust with customers by demonstrating a commitment to data transparency and protection.

DSARs and GDPR compliance

Data subject access requests are a core requirement of the General Data Protection Regulation (GDPR), which grants individuals greater control over their personal data. Under GDPR, individuals have the right to obtain confirmation as to whether their personal data is being processed, access to that data, and details about how and why it is being used.

GDPR requires certain organizations to appoint a data protection officer (DPO) who is responsible for monitoring compliance. Since DPO contact details must be available for data subjects, this individual may also assist with handling DSARs.

The data protection officer can be an in-house employee or someone appointed externally. However, in either case, they must be an expert in data protection who acts independently. Note that GDPR allows multiple organizations to share the same DPO.

Complying with DSARs is essential for demonstrating GDPR compliance. Organizations must respond to DSARs without undue delay and within one month of receipt, providing a copy of the requested data in a commonly used electronic format. Failure to respond appropriately can result in significant fines—up to €20 million or 4% of annual global turnover, whichever is higher.

DSARs and other regulations

The breadth of global data privacy regulations that grant individuals the right to access their personal data (i.e., support DSARs) demonstrates the importance of this across the world. The following are examples of regulations that require organizations to have a process in place for responding to a DSAR or similar request.

United States

• Delaware Personal Data Privacy Act
• Montana Consumer Data Privacy Act
• Nevada Privacy Law (SB 220)
• Texas Data Privacy and Security Act (TDPSA)
• Utah Consumer Privacy Act (UCPA)

Canada

• Canada Personal Information Protection and Electronic Documents Act (PIPEDA)

Mexico

• Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP)

Europe (Non-European Union)

• Liechtenstein Data Protection Act
• Norwegian Personal Data Act
• Swiss Federal Act on Data Protection (FADP)

Asia-Pacific

• Australian Privacy Act
• India Digital Personal Data Protection Act (DPDPA)
• New Zealand Privacy Act
• Philippines Data Privacy Act
• South Korea Personal Information Protection Act (PIPA)

Middle East and Africa

• Nigeria Data Protection Regulation (NDPR)
• South Africa Protection of Personal Information Act (POPIA)
• United Arab Emirates Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data

Which parties can submit a DSAR?

Anyone whose personal information is being processed by the controller organization can submit a data subject access request, including customers, employees, and vendors. Authorized agents, such as parents, guardians, and legal representatives, can also submit a DSAR on behalf of the subject.

How do you submit a DSAR?

To submit a data subject access request, an individual should follow these general steps.

Step one: Find the DSAR recipient

Identify the data controller organization that holds their personal data. This can usually be found in an organization's privacy notice or data protection contact information.

Step two: Prepare the DSAR

The key points to include in a DSAR are a clear statement that the communication is a DSAR and the specific data being requested. In some cases, the organization may also request you to provide valid proof of identity to help the organization verify the request and prevent unauthorized access to personal data.

Step three: Choose a submission method

The three primary methods for submitting a DSAR are:
1. Email via an organization's dedicated privacy or legal email address
2. Web forms or online DSAR portals
3. In writing by mail

Once the DSAR has been submitted, the organization should acknowledge receipt of your request and may ask for additional verification. Always retain a copy of your request and any correspondence for your records, ensuring that dates are accurately recorded.

DSAR response process

As part of organizational preparedness to comply with privacy regulations, enterprises must implement a process and workflow so responses can be provided in a timely manner. The following are the recommended steps.

Establish processes to receive DSARs

Establishing processes to receive and manage data subject access requests is essential for regulatory compliance and operational efficiency. Key elements include the following.

• Designate a DSAR point of contact (e.g., data protection officer, privacy team member, or compliance officer) to handle DSAR intake and coordination.
• Set up DSAR submission channels, such as a dedicated DSAR or privacy email address, a portal, a web form, and a mailing address, and make them easily accessible.
• Create a standardized DSAR form that collects the requester's identity and contact information and a description of the data requested
• Implement steps to verify the identity of the requester before fulfilling a DSAR and match contact details to internal records
• Define internal workflows for:
  o Acknowledging receipt
  o Locating and compiling data across systems
  o Reviewing and redacting sensitive third-party data
  o Responding within legal timeframes
• Educate relevant departments (e.g., customer service, IT, HR) on how to recognize, escalate, and respond to DSARs
• Maintain records by logging all DSARs and responses to demonstrate compliance and monitor trends

Verify the identity of the DSAR submitter

Since anyone can submit a DSAR, it is important to ensure that the requester is entitled to that information by law. Additionally, the person's identity must be authenticated to confirm that the request is not fraudulent, for example, due to identity theft.

Existing account verification

One way to verify and authenticate the requestor is through the same methods used to collect the data. This may be a member or subscriber account that includes a username or email address, multi-factor authentication such as a code sent to an authenticator app or email, and security questions that the user provided when opening the account. Some organizations also choose to ask for a copy of an official document, such as a passport or national identification card.

Third-party verification

When the DSAR comes from a third party, the responding organization must first verify that this person is authorized to act on behalf of the data subject. The third-party agent must provide proof, including their own identity and the ability to represent the subject.

Collect applicable data

Companies may be storing the requested data across multiple locations and in various formats, including paper records and unstructured files. As part of organizational privacy compliance preparedness, fundamental practices, including data governance, must be implemented to help streamline and automate the DSAR workflow. Understanding the kind of data collected (including structured and unstructured), where it is stored, and how it is handled enables more efficient compliance.

Deliver DSAR results

The DSAR results need to be delivered in a format that's readable and readily accessible. Depending on the regulation, this could range from verbal delivery to a self-service portal where the information can be downloaded. GDPR states that if the request is electronic, then the delivery must also be electronic unless the person specified otherwise.

DSAR response best practices

Establish data minimization and classification policies

Adopt data minimization practices to reduce the amount of personal data stored. Additionally, classify data by type and sensitivity.

Use access controls

Limit who within the organization can access or process DSAR-related data. Ensure only authorized personnel are involved in compiling or reviewing personal information to avoid internal data leakage or misuse.

Integrate DSAR tracking into privacy governance

Incorporate DSAR metrics (e.g., volume, response time, and request type) into broader data privacy and compliance reporting. This helps monitor trends, identify gaps, and support audits.

Prepare for edge cases

Create guidance for less common scenarios, such as:

• Requests involving minors or deceased individuals
• Requests that conflict with other legal obligations (e.g., ongoing investigations)
• Requests involving joint data controllers

Secure the DSAR response packages

Ensure all DSAR responses are securely transmitted. Use encryption, password protection, or secure download portals to minimize the risk of exposing sensitive data.

Maintain transparency with requestors

If a DSAR is denied, delayed, or partially fulfilled, clearly explain the reasons to the requester and reference applicable legal exceptions.

Conduct regular DSAR simulations

Perform mock DSAR drills to test your team's readiness, identify inefficiencies, and refine the workflow under realistic conditions. Include stakeholders from legal, IT, and compliance.

Common challenges in handling DSAR requests

As noted earlier, efficiently complying with DSAR requirements requires enterprises to have robust data governance processes in place. Without these processes, common barriers that organizations encounter include the following.

• Locating all relevant data across systems (e.g., cloud, on-premises, and third-party apps)
• Identifying personal data within unstructured formats, such as emails, documents, and chat logs
• Verifying the requester's identity
• Handling third-party data to ensure privacy (e.g., redacting sensitive information that is not related to a DSAR)
• Lack of standardized processes
• High volume of requests
• Meeting tight regulatory deadlines
• Ensuring data accuracy and completeness
• Managing DSAR costs, especially when fulfilling complex or frequent requests
• Balancing transparency with legal obligations

Reasons to refuse a DSAR

Laws typically allow organizations to refuse a request, even if it's legitimate. Some circumstances that may warrant refusal include:

• A "manifestly excessive request" (e.g., responding would require excessive resources that are disproportionate to other DSAR burdens)
• Inability to verify the requestor using reasonable means
• Malicious intent (e.g., with the purpose of harassing or overburdening the organization or specific employees)
• Compliance with other laws (e.g., national security restrictions)

When organizations refuse to comply with a DSAR, the requester must be informed of the reason and provided with information on how to dispute the refusal.

Charging a "reasonable fee" for a DSAR

Usually, regulations state that a fee can't be charged for fulfilling information requests. However, some allow "reasonable" fees for administrative costs in certain situations, including:

• Repetitive requests—If an individual submits multiple DSARs within a short period and the requests are clearly excessive or duplicative.
• Manifestly unfounded or excessive requests—If a request has no legitimate basis, is intended to harass the organization, or places an unreasonable burden on resources.
• It is important to note that the fee may only cover the actual administrative cost of gathering, copying, or delivering the data (e.g., printing, postage, or time spent redacting sensitive third-party information).

Automation and technology in DSAR management

Automation and technology can significantly enhance DSAR management and streamline related operations. Several examples include the following.

• Automated intake and tracking, such as web forms or DSAR portals, to standardize submissions, confirm receipt, and track progress in real time.
• Identity verification tools that integrate authentication methods to validate requesters securely and efficiently.
• AI-powered data discovery and classification to locate, identify, and classify personal data across systems and storage locations.
• Natural language processing (NLP) to scan unstructured data (e.g., emails and documents) for relevant personal information.
• Workflow orchestration platforms that can coordinate tasks across legal, IT, and compliance teams using predefined workflows, reducing delays and manual errors.
• Automated redaction tools to remove third-party or sensitive data while maintaining context and compliance.
• Automated response generation that creates reports or data packages in standardized, user-friendly formats (e.g., PDF, CSV) for delivery.
• Audit logging and compliance reporting.
• Maintain detailed logs of request handling to demonstrate compliance during audits or regulatory reviews.
• Scalability for high request volumes.
• Enable consistent and timely DSAR responses even during spikes in demand by reducing manual workload.
• Integration with privacy and data governance platforms that can connect DSAR workflows with broader privacy management systems for unified oversight and reporting.

Be ready for a DSAR

The best way to prepare for DSAR requirements is by understanding the data. Managing and gaining visibility into unstructured data, in particular, is a significant challenge, yet this is extremely important because the majority of data held by a typical organization is unstructured. As enterprises continue to collect vast volumes of information, solving this challenge will grow increasingly difficult.

DISCLAIMER: THE INFORMATION CONTAINED IN THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY, AND NOTHING CONVEYED IN THIS DOCUMENT IS INTENDED TO CONSTITUTE ANY FORM OF LEGAL ADVICE. SAILPOINT CANNOT GIVE SUCH ADVICE AND RECOMMENDS THAT YOU CONTACT LEGAL COUNSEL REGARDING APPLICABLE LEGAL ISSUES.