Office 365 DSAR Response Guide for DPOs

Receiving and Validating a DSAR

A data subject access request can arrive through any channel — email, web form, letter, or even a verbal request to your customer service team. Under GDPR, there is no prescribed format. Your first obligation is to verify the identity of the requester without collecting more personal data than necessary. For employees, this might mean confirming through existing HR systems. For customers, you may need to match the request against account records.

You have 30 calendar days to respond under GDPR, with a possible extension to 90 days for complex requests. Under CCPA, the window is 45 days with a single 45-day extension. The clock starts when you receive the request, not when you verify identity — so having a clear intake process matters.

Step 1: Scope the Data Landscape

Before running any searches, identify which Office 365 services your organization uses and where the data subject's information is likely to reside. The most common sources in a typical Office 365 tenant include Exchange Online (email, calendar, contacts, tasks), SharePoint Online (team sites, document libraries, lists), OneDrive for Business (personal files and synced content), and Teams (chat messages, channel conversations, meeting recordings and transcripts).

Less obvious but equally important sources include Forms (survey responses the data subject submitted), Planner (task assignments and comments), Bookings (appointment records with personal details), To Do (tasks synced to the mailbox), and Viva Engage (posts, comments, and profile data). The scope of your search should reflect the services your organization actually uses — there is no need to search services that are not part of your tenant or that the data subject never interacted with.

Step 2: Search with Purview eDiscovery

Microsoft Purview eDiscovery is the primary tool for locating personal data across your Office 365 environment. Create a case, define your search using the data subject's identifiers, and target the relevant content locations. The most effective search queries combine an identifier (email address, employee ID, name) with conditions that narrow the scope — file type, date range, or specific SharePoint sites.

For a comprehensive DSAR, search across all Exchange mailboxes and all SharePoint sites in a single pass. This catches data that may have been shared, forwarded, or copied across the organization. Review the search statistics before exporting to understand the volume and distribution of results — this helps you estimate the redaction effort ahead.

Step 3: Export the Results

Export the search results from Purview. For email, you can choose PST format (one file per mailbox) or individual message files. For documents, the export includes native file formats from SharePoint and OneDrive. The export package also includes a Results.csv manifest that catalogs every item with its source location, custodian, and metadata.

Download the export to a secure location. The exported data is unredacted and contains the personal data of the data subject alongside personal data belonging to every other person referenced in those files. This is the dataset that requires redaction before disclosure.

Step 4: Redact Third-Party Personal Data

This is the most labor-intensive and error-prone step in the entire DSAR workflow. Every file in the export must be reviewed for personal data belonging to individuals other than the data subject. Email threads contain sender and recipient addresses. Teams transcripts reference every participant. Shared documents may include comments from multiple collaborators. Spreadsheets may contain entire databases of personal records.

Manual redaction at this stage typically requires 8 to 12 hours of skilled labor per request, assuming a moderate volume of files. For complex requests involving thousands of files, the time investment can extend to weeks. This is where automated redaction tools like SafeRedact transform the economics of DSAR compliance — reducing processing time from weeks to hours while improving detection consistency.

Step 5: Review and Package the Response

Before delivering the redacted files, conduct a quality review. Verify that the data subject's own personal data is intact and readable. Confirm that third-party PII has been consistently removed across all file types. Check that email headers (sender, recipients, CC fields) have been addressed and that document content has been thoroughly reviewed. The response should include a cover letter explaining what data was found, which systems were searched, and the legal basis for any redactions applied.

Package the response securely. Encrypted email, a secure download portal, or encrypted physical media are all acceptable delivery methods. Document the delivery for your records — this evidence may be required if the data subject or a regulator questions the completeness of your response.

Step 6: Handle Deletion and Restriction Requests

A DSAR is often just the beginning. The data subject may follow up with a request to delete their personal data (the right to erasure under GDPR Article 17) or to restrict its processing (Article 18). In Office 365, deletion requires understanding the soft-delete and hard-delete lifecycle for each service. Exchange mailbox items move through the Recoverable Items folder before permanent deletion. SharePoint documents pass through two recycle bin stages over a 93-day window.

If the data subject's data is under a legal hold or retention policy, permanent deletion may be blocked until the hold is lifted. Your response should explain any retention obligations that prevent immediate deletion and provide a timeline for when the data will be removed.

Microsoft, Microsoft 365, Office 365, Teams, SharePoint, Exchange Online, OneDrive, Outlook, and Purview are trademarks of Microsoft Corporation. SafeRedact is not affiliated with or endorsed by Microsoft.