Responding to Data Subject Access Requests Under GDPR
Data Subject Access Requests (DSARs) are one of the most frequently encountered compliance obligations under the General Data Protection Regulation. As a compliance professional, your organization's ability to respond accurately, completely, and within strict timelines directly impacts your regulatory standing and your relationship with data subjects. This guidance walks you through the practical mechanics of DSAR handling.
Understanding the Legal Obligation
Under GDPR Article 15, data subjects have the right to obtain confirmation of whether an organization holds their personal data and, if so, to receive a copy of that data in a structured, commonly used, and machine-readable format. This is a broad right—it extends to all personal data processed about an individual, regardless of the purpose or lawful basis for processing. Your organization cannot refuse a DSAR on the grounds that the data is sensitive, commercially valuable, or difficult to retrieve.
The scope of Article 15 is expansive. You must provide not only the data itself but also supplementary information: the purposes of processing, the categories of recipients, the retention period, the legal basis for processing, and details about automated decision-making if applicable. Many DSAR responses fail not because organizations cannot locate data, but because they omit this contextual information.
The 30-Day Response Window
GDPR Article 12(3) establishes a one-month deadline from receipt of the request. This is a hard deadline, not a guideline. You must respond within 30 calendar days. The clock starts when you receive the request, which is why having a clear intake mechanism—a dedicated email address, a web form, or a ticketing system—is essential. Document the date of receipt immediately.
In practice, 30 days is tight. Most organizations find that data mapping and retrieval take 2-3 weeks, leaving limited time for review and quality assurance. Build in process buffers. If you anticipate difficulty meeting the deadline, GDPR Article 12(3) permits a two-month extension, but only when justified by the complexity of the request or the number of requests received. Extensions are not automatic, and you must notify the data subject within one month, explaining the reason and your expected completion date.
Identifying Requestor and Locating Data
Before you can respond, you must verify that the person submitting the request is actually the data subject or an authorized representative. This verification step protects both you and the data subject. Reasonable verification might include matching information against your records, requesting government-issued identification, or in lower-risk cases, confirming email addresses or phone numbers on file. Document your verification method.
Next comes the operationally demanding task: locating all personal data held about that individual. This requires a systematic search across systems. Most organizations maintain data in multiple repositories—CRM systems, email archives, HR databases, document management systems, and cloud storage. If you haven't already completed a data inventory or mapping exercise, DSAR volume will make this evident. Create a checklist of systems and business units and confirm that each has been searched. Work with IT and business owners directly; do not rely on general assurances that data has been located.
Handling Legally Restricted Information
GDPR Article 15(4) allows you to withhold information in limited circumstances: when disclosure would reveal information about a third party, when disclosure would undermine legal professional privilege, or when national security is at stake. These exceptions are narrow. The presence of third-party data does not automatically justify withholding; instead, you should redact identifiers of third parties while providing information about the interaction or relationship. Only withhold when disclosure would genuinely cause harm.
Preparing and Delivering the Response
Package the response in a clear, structured format. A single PDF or spreadsheet is often appropriate, but for large datasets, consider a CSV file with clear column headers. Include the supplementary information required by Article 15 in a cover letter or explanatory document. Avoid technical jargon; data subjects may not understand system names, field codes, or processing descriptions.
Deliver the response securely. Email with password protection, secure file transfer, or a download link sent through an authenticated portal are all acceptable. Never send unencrypted personal data via unencrypted email. When a data subject requests a specific format, you must comply unless it is technically impossible or imposes a disproportionate burden.
Documentation and Quality Control
Maintain records of every DSAR received and your response. Log the request date, data subject identifier, response date, scope, and any redactions or extensions. This creates an audit trail. Before sending the response, have a second person review it for completeness and accuracy. DSAR responses are high-risk deliverables; errors damage trust and may trigger complaints to your supervisory authority.