With so many new data privacy laws entering into action, it’s time to prepare your business to respond to Data Subject Access Requests (DSAR).
Known by many names, a DSAR refers to when an individual requests to exercise their rights over the personal information you collect from them — like their right to access, correct, or delete their data.
Establishing a transparent DSAR workflow for your team to address these consumer requests helps your business comply with applicable data privacy laws and builds customer trust.
Use this step-by-step guide to make a reliable, legally-sound, and easy DSAR process for your business and users.
Overview of the Data Subject Access Request Process
A Data Subject Access Request or DSAR refers to when individuals submit requests to exercise their data privacy rights as granted by different data privacy laws.
While the specific rights vary, typically, people protected by these pieces of legislation have the right to request to:
- Access the personal data you’ve collected about them and know what you use it for
- Correct or amend their personal data
- Delete the data you’ve collected about them
- Obtain a portable copy of the data you’ve collected about them
- Opt out of certain types of data processing activities, like profiling, the sale of their data, or targeted advertising
Data Subject Access Requests have become increasingly prominent since the introduction of the General Data Protection Regulation (GDPR), the influential data privacy law that protects people within the European Union (EU) and the European Economic Area (EEA).
Additionally, they’re now included in several other laws from around the world, including the:
- Brazil General Data Protection Law
- California Consumer Protection Act (CCPA)
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- Indiana Consumer Data Protection Act (Indiana CDPA) — effective January 1, 2026
- Iowa Consumer Data Protection Act (Iowa CDPA) — effective January 1, 2025
- Montana Consumer Data Privacy Act (MCDPA) — effective October 1, 2024
- New Zealand Privacy Act
- Oregon Data Privacy Act (ODPA) — effective January 1, 2024
- Switzerland Revised Federal Act of Data Protection (Swiss FADP) – effective September 1, 2023
- Tennessee Information Protection Act (TIPA) — effective January 1, 2025
- Utah Consumer Privacy Act (UCPA) — effective December 31, 2023
- Virginia Consumer Data Protection Act (VCDPA)
Most of these laws don’t necessarily specify that you must use DSAR forms, but they do require you to provide ways for your consumers (data subjects) to act on their rights.
So, creating a DSAR process or workflow for your business that all relevant employees can understand and follow streamlines this process, helping you meet this legal obligation efficiently and on time.
The Importance of a DSAR Process for Businesses
Establishing an adequate DSAR process is important for businesses because it’s often a multi-step undertaking, and some laws, like the GDPR and the CCPA, outline specific timeframes for how long you have to respond to and complete consumer requests.
Some of the necessary DSAR steps include verifying the identity of the consumer making the request, securely locating their data, and providing a way for them to appeal your decision based on their request.
Additionally, you’re not usually allowed to charge any fees regarding the entire DSAR process, so it’s essential that your business can meet these requirements in an affordable manner.
Throughout the rest of this article, I’ll walk you through the steps you need to include in your business’s DSAR workflow.
Key Definitions and Terms in the DSAR Process
Let’s start by defining some key terms you and your team should familiarize yourself with when creating your DSAR process.
- Data controller: If you determine what information gets collected from users and how it gets used, you’re considered the data controller.
- Data subject: The individuals you collect data from who are protected by data privacy laws are considered the data subjects.
- Data processor: If you use a third-party entity to help you handle your data processing activities, they’re considered your data processor and may have to assist you with following through on consumer requests to follow through on their privacy rights.
- Data Protection Officer (DPO): This is the person you appoint who ensures that all information you process, from your consumers, your employees, and any other data subjects, is done in a legally compliant way.
- Verifiable consumer request: This is the process of ensuring you can verify that the person submitting the request to act on data privacy rights is the actual individual in question or has legal permission to act on the data subject’s behalf.
- Data Subject Access Request form: This refers to the internet form you publish on your platform to allow consumers to request to follow through on their privacy rights easily.
I’ll use these terms throughout this guide, so refer back to this list as much as needed.
Preparing for a DSAR
Next, let’s walk through how you prepare your business for a DSAR from a consumer.
Taking these preliminary actions before receiving an actual data privacy request from one of your users helps make the entire process much more efficient for all parties involved.
Appointing a Data Protection Officer (DPO)
First and foremost, you should appoint a Data Protection Officer or DPO for your business.
Your DPO is responsible for ensuring that your company collects and processes data in legally compliant ways. Depending on the size and scope of your business, they’ll either respond to DSARs or oversee and help manage the process.
For example, smaller companies usually only require a single DPO to meet legal obligations.
However, companies that process large amounts of data or highly sensitive information may need a team of employees to assist the DPO with these responsibilities.
When choosing your DPO, ensure they’re familiar with data privacy legislation and know your business’s operations inside and out.
Avoid choosing someone on a short-term contract and ensure there are no conflicts of interest.
Establishing DSAR Policies and Procedures
Once you have a DPO, you should establish your DSAR policies and procedures and determine your methods to allow consumers to submit their data requests.
Remember, laws like the CCPA require you to provide two or more systems.
Let’s say you decide to use DSAR forms on your website or app, provide consumers with a working email address, and also offer a phone number that leads directly to your DPO — you’ll then need to write a clause in your privacy policy explaining how to use each of these mechanisms.
You must also describe how individuals can appeal your decisions based on their requests, especially under laws like the CCPA and the VCDPA.
However, the DSAR workflow doesn’t stop there.
You should also develop a plan for how your business will respond to the requests, how your DPO or team can locate the personal data, how you’ll communicate with the data subject, and more, which I’ll explain in detail later during the step-by-step portion of this guide.
Employee Training and Awareness
Finally, you must determine how you’ll train your staff and increase employee awareness regarding data privacy best practices and the DSAR process your business implements.
Training your employees to be privacy literate will help make your DSAR process more efficient and effective.
All employees should, at a minimum, be able to recognize a DSAR and escalate it to the appropriate teams.
In other words, everyone should be on the same page about the importance of protecting your users’ personal data and allowing them to follow through on their legal rights.
Your employees also have data privacy rights regarding how you collect, use, and process their data, which you must also consider when creating a DSAR workflow.
Step-By-Step DSAR Workflow Your Business Needs To Follow
Now, let’s walk through the steps you should follow to ensure your business’s DSAR workflow runs smoothly and meets all legal obligations.
Step 1: Receiving and Identifying a DSAR
When it comes to receiving DSARs, there are multiple methods you could implement on your site, and individuals aren’t obligated to follow many rules when making a request.
However, based on applicable data privacy laws, you should choose systems based on how your users typically interact with your platform and the nature of the personal data you collect.
Most laws require you to provide at least two or more ways for consumers to submit requests.
Options for implementation include:
- An online form: Often called a DSAR form, it should be appropriately labeled, easy to use, compatible with all devices, and secure.
- A dedicated email address: It should be easy to access, clearly identified, checked regularly, and secure.
- A telephone number: It should be active, working, answered regularly with hours of operation included, and secure.
- In-person requests: Depending on the type of business you run, you may have a physical location where consumers can make their requests in person, so have the address clearly labeled with hours of operation present.
However, you must respond to consumers even if they don’t follow the specific DSAR methods you implement on your platform. According to the laws, consumer requests are consumer requests, no matter what.
This is what your DSAR form looks like when you use Termly’s service.
Verifying a Data Subject’s Identity
Once you’ve chosen the methods you’ll use to allow consumers to follow through on their rights, you must also make a process for verifying consumer requests. Doing so ensures you’re not releasing personal information to an authorized person.
When verifying the consumer’s identity, avoid asking for more personal information unless absolutely necessary, and don’t require them to create an account (under some laws, this is explicitly forbidden).
Instead, consider using a two-factor authentication approach and take advantage of pre-existing data you already have.
You might send a code to their email address or phone number or have them select and answer a security question correctly.
Understanding the Scope of the Request
You also need to ensure the person or team answering your DSARs understands the scope of the consumer request so that they can respond accurately and appropriately.
Consumers have different rights, and they can submit a request to follow through on any of them, including accessing all personal information an entity collected from them, correcting inaccurate data, or asking to have their data deleted.
Make sure you know what the specific request or requests are from the consumer, and reply to all facets of it.
Step 2: Gathering Requested Data
The next step involves gathering the relevant requested data so you can appropriately respond to the consumer.
Your internal procedure should explain which employees are approved to locate the information, the networks where you store the data, and if it’s located in multiple places (which, more than likely, it is).
Don’t forget to mention if you store any information physically.
Retrieving Personal Data
Depending on what industry you’re in, different permissions may be required before the employee can access it on behalf of the data subject.
For example, permissions are necessary when gathering health information under U.S. federal laws like HIPAA.
Verify if this impacts your business, and add the appropriate details to your DSAR procedures.
You might also consider implementing data mapping techniques to make gathering this information easier on your team.
You can learn more by checking out our data mapping guide.
Data from Third Parties
When gathering the information, don’t forget to include data collected by third parties you work with or use, especially if you rely on a third-party data processor.
The consumer request applies to all data collected.
Most data protection laws contractually obligate third parties to help you follow through on consumer requests to act on their privacy rights.
You should ensure that your contracts with your data process reflect these requirements.
Be thorough, as you don’t want to accidentally leave anything out, as doing so even by mistake violates data privacy laws.
Step 3: Data Review and Exemption Consideration
Once you’ve collected the data requested by the consumer, you must review it for confidentiality and sensitivity.
In other words, your DPO and their team must ensure it meets all your internal requirements for accepting or rejecting the consumer request.
Identifying Exempt Information
It’s possible that some of the personal data is exempt from sharing with the data subject, and you should explain how your DPO or their team can identify this information ahead of time.
Most notably, you cannot share information with someone if it infringes upon another person’s data privacy rights.
You should reject any request — or part of a request — that impedes another person’s privacy and clearly explain this to the original data subject.
Balancing Transparency and Data Protection
When responding to a consumer request, your data privacy team should make a log of the steps they take while simultaneously considering data protection.
Having your employees mark down the date and time of each task they’ve completed, the authorization for the requests, and the potential locations of the data they’ve accessed can help your business in case of a regulatory audit.
However, you’re also responsible for keeping these details secure from data breaches or unauthorized access, so ensure you have safety measures to prevent this.
Step 4: Communication With the Data Subject
It’s essential to confirm with the consumer that you’ve received their request and are working on your response.
Consider sending a verification notice to the data subject to reassure them that you acknowledge their DSAR and will respond in the appropriate timeframes.
Providing Updates on Progress
Depending on what applicable laws say about your timeline for responding to consumer DSARs, you might also consider sending them updates on your progress.
Updating the data subject about how long the process might take gives them peace of mind and holds your DPO or privacy team accountable for progressing your DSAR workflow promptly.
Seeking Clarifications, if Necessary
If necessary — and as legally applicable — it’s okay for you to request clarifications from the data subject.
For example, you might need to verify what rights they’re following through on or clarify if someone is acting as the legal guardian on behalf of a known child.
However, only seek clarifications when it’s crucial for you to do so.
Your DSAR process must follow all applicable laws, and there are limitations as to what you can and cannot ask a data subject depending on what legislation applies to your business.
Step 5: Processing and Compiling the Response
When processing and compiling your response to a DSAR, you should have a process in place for organizing the collected data.
Many laws give consumers the right to a portable copy of their information, which means you must present it to them in a way that’s easy to share with another data controller.
The purpose of the data portability right is to prevent user information from being stored on closed platforms, which makes moving accounts between services much more challenging.
You must provide the data using a common, accessible file type. If possible, provide the consumer with remote access using a secure system.
Make sure you format it in a way that’s easy to read and understand.
Documenting Data Processing Activities
You should also document your data processing activities concerning any DSAR requests so the user knows why you collected the data from them.
Under most data privacy laws, you must have a legal basis for using categories of personal information and explain how long you’ll retain the data.
Keep in mind that most data protection legislation says you can only keep information for as long as necessary based on your purpose for collecting it in the first place unless otherwise required by law.
Redacting Third-Party Information
In some cases, it may be necessary for you to redact information in relation to any third parties when fulfilling DSARs.
Have a process for identifying what third-party information should be removed or redacted from the data you share with the original requester and how your teams can do this.
For example, you might redact private organization information that falls outside the scope of personal data and information about another individual not making the request.
Step 6: Drafting the Response
Now it’s time to create the process for drafting a clear and comprehensive response to a DSAR.
When replying to a consumer, use straightforward language that’s easy to understand. You must be thorough and double-check that you’re providing everything the consumer requested.
Explaining Data Processing Activities
Sometimes, explaining your data processing activities in a DSAR response is necessary.
Many laws grant consumers the right to know what you use their personal information for and if it’s shared with or sold to third parties.
Your data subjects could also request that you stop using their information in either way.
Be transparent about your processing activities, and ensure anyone working on your DSAR workflow understands these protocols inside and out so they can accurately inform users who submit requests.
Preparing templates your employees can tailor to the type of request received may be helpful.
Addressing Exemptions and Limitations
If any data the individual requests are exempt, or you can only share a limited amount with the requester, you must explain those limitations clearly in your response.
Similarly, you may need to deny certain DSARs, but only in very specific cases, and it depends on applicable laws.
Under the GDPR, for example, you can deny a DSAR if it’s unfounded or excessive.
Put these details in your DSAR protocols based on the data privacy legislation that applies to your business so it’s clear to everyone on your team who responds to consumers when it is and isn’t appropriate to deny a request.
Step 7: Review and Quality Assurance
Once you’ve drafted your response, internally review it for accuracy and quality assurance.
When it comes to DSAR responses, the most important factor is following the correct laws, so don’t skip this step.
Performing an internal review as part of your overall workflow can help you find and correct mistakes or legal errors before they occur.
Ensuring Accuracy and Compliance
Before you send an official response to the data subject, double-check that all personal data and details are accurate and that you’re following the applicable laws.
Data subjects from different regions have different rights. Write out the details about their rights in your DSAR protocols and ensure everyone on your team can access them.
Remember, sending the wrong data to a data subject is considered a breach because an unauthorized person has access to someone else’s information.
Data privacy laws hold your business accountable for such a mistake, so it’s crucial you have protocols in place to prevent this from occurring.
Legal and DPO Approval
If necessary, have your DPO or legal team review and approve your DSAR responses before sending them to the data subject.
They should double-check that everything is done correctly and in a legally compliant way.
Step 8: Sending the DSAR Response
Before sending your DSAR response, look to applicable laws to determine the proper formatting and delivery methods.
It is vital that you employ a method that ensures the continued safety of your data subjects’ information while being transferred.
For example, under the GDPR, any data subject requests made electronically should be replied to electronically.
Mark down these methods as part of your DSAR workflow so your employees understand the legally appropriate way to send a response to consumers.
Timely Delivery and Communication
Most data privacy laws require you to respond to data subject requests without undue delay.
However, most also outline a specific time frame, so ensure you stay within those boundaries.
Under the GDPR, you have 30 days, whereas under the CCPA, you have 45 days.
Replying sooner is always better than responding too late, at which point the law could hold legally accountable.
Step 9: Handling Appeals and Further Steps
You have a few ongoing responsibilities even after you respond to a DSAR.
Most data privacy laws require you to provide an easy method for data subjects to appeal your decisions regarding their requests.
For example, if someone asks you to delete their information and you say no, they can submit an appeal.
Laws like the VCDPA stipulate that the appeal process must be as simple as and similar to the system you initially used to allow consumers to submit requests.
You then have a set amount of time to reply to an appeal, depending on the legislation that applies to your business.
Escalating Complex Cases
After responding to a consumer, you may face complex requests from data subjects or even receive a more complicated appeal.
To prepare your business, create a process for escalating those requests to the proper channels so you can resolve them quickly and efficiently.
For example, a legal guardian may contact you over concerns about your website or app collecting information about their child despite your business not targeting minors.
By creating a response process before a complex DSAR or appeal takes place, your business will be better prepared and protected, and your consumers will appreciate your efforts.
Continuous Improvement of the DSAR Process
As you receive more DSARs and put your workflow to the test, don’t shy away from continuously adjusting and improving it.
While data privacy laws dictate that you must allow consumers to act on certain rights within a specific timeframe, the overall process is entirely up to you.
It’s a good idea to make any changes as necessary to enhance your protocols.
You should also pay attention to new and changing data privacy laws that may impact parts of your DSAR process.
Step 10: Record Keeping and Documentation
Keeping proper, secure records of your DSARs and responses is essential for internal organization purposes and in case of a privacy audit by a regulator or other authority.
Under the GDPR, you must keep a detailed record of your processing activities to make available upon the request of any regulator or authority — which includes DSAR responses and consumer appeals.
Article 31 of the GDPR calls this a Record of Processing Activities or RoPA.
Even if other laws don’t require you to keep this information, doing so is a best practice as it can help you prove legal compliance if an issue arises.
When maintaining DSAR records, follow all applicable data privacy laws and keep the information safe from unauthorized access or breaches.
Audit Trail and Accountability
By documenting your communications with the data subject who submits the request, you’re creating an audit trail, which can help prove your business complied with all applicable laws if a regulatory authority ever questions your legal accountability.
Make a log of all your steps, and store it in a secure environment.
As an additional benefit, if the same consumer submits another DSAR in the future, it’ll make responding to their request faster and easier for your team.
Summary
Now’s the time to make a uniform, efficient DSAR procedure for your business.
Depending on what laws apply to you and your consumers, you’ll need to take the following steps:
- Determine what methods you’ll use to allow consumers to submit DSARs and appeals
- Appoint a DPO and determine how you’ll train your employees
- Have methods in place so you can verify the identity of the consumer submitting the request
- Gather the requested data from all channels you use to collect it in the first place
- Format the information in a way that’s easy to read and portable, as necessary
- Appropriately communicate with the data subject throughout the process
- Draft up your response, and have steps in place for reviewing the draft for legal compliance and accuracy
- Process the response promptly and redact any unnecessary information as needed
- Send your response in a way that’s legally sound and easy for the data subject to access
- Look out for any consumer appeals and respond appropriately
- Keep a record of all DSARs that come your way in case of future requests or an audit from a regulator
- Continue to improve, update, and refresh your DSAR process as needed based on applicable data privacy laws
Ultimately, creating a DSAR workflow puts your entire team on the same page and helps you adhere to data protection regulations outlined by relevant laws.
If you violate any of those laws, even on accident, it could lead to public backlash and significant fines that add up fast — just check out this list of the biggest GDPR fines of all time.
An efficient DSAR process also proves to your consumers that your company continuously commits to protecting their data privacy.
Current data privacy statistics suggest that consumers care more about what’s happening to their personal information online today than ever before.
Prove to them that you care about protecting the integrity of their information just as much by implementing a coherent and well-structured DSAR process.
More about the author
Written by James Ó Nuanáin, CIPP/E, CIPM, CIPT
James is an Information Privacy Professional with over seven years of experience assisting large organizations comply with their obligations under the GPDR and other local privacy regulations. He is passionate about data privacy and the intersection between law and technology. More about the author
