DSAR Compliance Checklist: How to Respond to Data Subject Access Requests
Responding to a DSAR is a structured legal process with specific requirements at each stage. Miss a step and you risk regulatory enforcement. This checklist covers everything from intake to delivery.
Step 1: Recognise and log the request
A DSAR can arrive through any channel — email, letter, phone call, web form, social media, or even in conversation. It does not need to mention "DSAR" or cite legislation. Any request that clearly asks for access to personal data counts. Train all public-facing staff to recognise access requests and route them to your designated response team immediately.
Log the date of receipt — this starts the clock. Under GDPR and UK GDPR, you have one calendar month. Under CCPA, 45 calendar days. If you need to clarify the scope of the request, the clock pauses until clarification is received (GDPR only).
Step 2: Verify identity
You must be reasonably certain the requester is who they claim to be before disclosing personal data. The level of verification should be proportionate to the sensitivity of the data and the confidence you already have in the person's identity.
For existing customers or employees, matching the request to a known email address or account may be sufficient. For unknown requesters, you may ask for government-issued ID. Do not request more information than necessary — excessive verification requirements can be treated as obstruction by regulators.
Step 3: Locate all personal data
Search every system where the individual's data might reside. This typically includes email systems (Outlook, Gmail), HR platforms, CRM systems, file storage (SharePoint, Google Drive), chat platforms (Teams, Slack), databases, backup systems, and paper records. The search must be thorough — regulators have penalised organisations for incomplete searches.
Maintain a record of which systems were searched and when. This forms part of your audit trail.
Step 4: Review and apply exemptions
Not all data needs to be disclosed. Exemptions include legal professional privilege (communications with lawyers for legal advice), crime prevention data where disclosure would prejudice an investigation, management forecasting data (UK GDPR specific), and third-party data where disclosure would identify another individual. Each exemption must be assessed individually and documented with reasoning.
Step 5: Redact third-party personal data
This is typically the most time-consuming step. Every document in the response must be reviewed for personal data belonging to individuals other than the data subject. Names, email addresses, phone numbers, addresses, employee IDs, and any other identifying information of third parties must be permanently removed.
For large data exports — thousands of emails, attachments, and transcripts — manual redaction is impractical. SafeRedact Enterprise handles this at scale: upload the data export, name the data subject, and the system preserves their PII while redacting all third-party data across up to 25,000 files. See our detailed DSAR redaction guide.
Redaction must be permanent. Drawing black boxes over text in a PDF editor does not constitute redaction — the underlying data can be recovered by copying and pasting. Use a tool that destroys the underlying data, not one that merely obscures it.
Step 6: Compile the response
The response must include more than just the data. Under GDPR, provide: a copy of the personal data in a commonly used electronic format, the purposes of processing, the categories of data, the recipients or categories of recipients, the retention period, information about the right to rectification and erasure, the right to lodge a complaint, the source of the data (if not collected directly), and whether automated decision-making is used.
Step 7: Deliver securely
Never send personal data via unencrypted email. Use a secure portal, encrypted file transfer, password-protected archive, or registered post. Document the delivery method and date. If delivering electronically, the data should be in a commonly used format — PDF, CSV, or structured data files.
Step 8: Document everything
Maintain a complete audit trail of the DSAR process: date of receipt, verification steps, systems searched, exemptions applied, redactions performed, response compiled, delivery method, and completion date. This documentation is your evidence of compliance if the request is later challenged or audited.
Deadline comparison by regulation
EU GDPR: 1 month, extendable by 2 months. Fines up to €20M or 4% of turnover. UK GDPR: 1 month, extendable by 2 months. Fines up to £17.5M or 4% of turnover. CCPA/CPRA: 45 days, extendable by 45 days. Fines up to $7,500/violation. LGPD (Brazil): 15 days. PIPEDA (Canada): 30 days.
Need to process a DSAR?
SafeRedact Enterprise handles bulk document redaction with selective PII preservation and zero data retention.
Learn about Enterprise →Frequently asked questions
What are the steps to respond to a DSAR?
Recognise and log the request, verify identity, locate all personal data, review exemptions, redact third-party data, compile the response with supplementary information, deliver securely, and document the entire process.
Do I need to redact third-party data?
Yes. GDPR Article 15(4) requires that the right of access does not adversely affect others' rights. All third-party personal data must be permanently redacted before disclosure.
What documentation should I keep?
Request date, identity verification method, systems searched, exemptions applied and reasoning, redactions performed, response date, and delivery method. This provides a defensible audit trail for regulatory review.