DSAR Training: How to Prepare Your Team

Why DSAR Training Matters More Than You Think

Here is the most common way a small business fails a DSAR: a customer emails your general inbox asking for their data, and the person reading the inbox does not recognize it as a legal request. The email sits in the queue for two weeks. Someone eventually replies with "What do you mean?" The customer, now frustrated, complains to the regulator. By the time anyone in your organization realizes what happened, you have missed the deadline and created a compliance problem.

This happens constantly. Not because businesses are negligent, but because the people receiving the requests do not know what a DSAR looks like.

DSAR training prevents this. It does not need to be expensive, it does not need to be complex, and it does not need to take more than an hour. But it does need to happen.

This guide covers who on your team needs training, exactly what to cover, how often to refresh it, and a practical training program you can implement in a 10-person company without hiring a consultant.

Who Needs DSAR Training?

The short answer: anyone who might receive a DSAR. The longer answer: that is more people than you think.

Tier 1: Must Have Training

These people will definitely receive DSARs and need to know how to handle them:

• Whoever manages your general inbox — most DSARs arrive by email
• Customer service / support team — customers making DSARs often contact your support channels
• HR / people team — employee DSARs come through HR (see our guide on employee DSARs)
• The designated DSAR handler — whoever is responsible for processing DSARs from start to finish
• Business owner / senior management — they need to understand the obligations and authorize the process

Tier 2: Should Have Awareness Training

These people might receive or encounter DSARs and need to know enough to escalate:

• Reception / front desk — verbal or postal DSARs may arrive here
• Sales team — customers sometimes make data requests during sales interactions
• Social media manager — DSARs can arrive through social media channels
• Finance / accounting team — they hold personal data and may receive requests directly
• IT team — they may need to assist with data searches and understanding system architectures

Tier 3: General Awareness

Everyone in the organization should have a basic understanding that:

• People have the right to ask for their data
• If they receive a request that sounds like it might be about personal data, they should pass it to [designated person]
• They should not delete any data that might be relevant to a request

What to Cover in DSAR Training

Training should be practical, not theoretical. No one needs a lecture on the history of GDPR. They need to know what to do on Monday morning when a DSAR arrives.

Module 1: What Is a DSAR and Why Does It Matter?

Time: 10 minutes

Cover the basics:

• A DSAR is a legal request from someone asking for the personal data you hold about them
• It is a legal right under data protection laws (GDPR, CCPA, UK DPA, etc.)
• Your business is legally required to respond within a specific deadline (30 days under GDPR (GDPR Article 12(3)), 45 days under CCPA (Cal. Civ. Code § 1798.130(a)(2)))
• Failure to respond can result in regulatory fines (up to 4% of annual global turnover under GDPR (GDPR Article 83)) and legal action

Keep it brief. The goal is context, not expertise. For background, point them to our plain-English DSAR guide.

Module 2: How to Recognize a DSAR

Time: 15 minutes

This is the most important module. Use real examples of what DSARs look like:

Clear DSARs:

• "I am making a subject access request under GDPR."
• "Please provide me with a copy of all personal data you hold about me."
• "I would like to exercise my right of access."

Less Obvious DSARs (But Still Valid):

• "Can you tell me what information you have about me?"
• "I want to see my file."
• "What data do you hold on me?"
• "Can you send me everything you know about me?"
• "I want to know what you've done with my information."

Not DSARs (But Sometimes Confused With Them):

• "Can you reset my password?" — this is a service request
• "I want to close my account and delete my data" — this is an erasure request (different process)
• "Can you send me a copy of my invoice?" — this is a customer service request, not a data access request (though it could be both, depending on context)

The key message: if in doubt, treat it as a DSAR. It is always better to escalate something that turns out not to be a DSAR than to ignore something that is.

Module 3: What to Do When You Receive a DSAR

Time: 15 minutes

This is the action module. Train everyone on the same simple process:

Step 1: Do not ignore it. This sounds obvious but it is the most important instruction.

Step 2: Do not respond to it yourself (unless you are the designated DSAR handler). Do not try to answer the request, do not tell the person "we don't have any data about you," and do not ask them why they want the data.

Step 3: Forward it to [designated person/email] immediately. Not tomorrow, not when you get around to it. Now. Every day of delay is a day off the response deadline.

Step 4: Record the date you received it. The deadline starts when the request arrives, so knowing exactly when that was matters.

Step 5: Do not delete anything. If you receive a DSAR, or hear that someone has submitted one, do not delete any data that might be relevant. This includes emails, files, notes — everything. Deleting data after a DSAR is received can be a criminal offense.

That is it. For most team members, this is all they need to know. The designated handler takes it from there.

Module 4: The Response Process (For Designated Handlers Only)

Time: 20 minutes

This deeper training is only for the person (or people) who actually process DSARs. Cover:

• The full response process (see our step-by-step response guide)
• Identity verification requirements (see our identity verification guide)
• Where to search for data (all systems, not just the main database)
• How to handle third-party data redaction
• When exemptions might apply (see our exemptions guide)
• How to use your response templates (see our template guide)
• Deadline management, including how and when to extend (see DSAR response deadlines)

Module 5: Data Preservation and the "Do Not Delete" Rule

Time: 10 minutes

This module is critical and applies to everyone:

• Once a DSAR is received, all data about the requester must be preserved
• This means no deleting emails, files, records, or any other data about the person
• Automated deletion (email auto-purge, retention policy deletions) should be paused for the requester's data
• Deleting data to avoid disclosing it is a serious violation — potentially criminal under the UK Data Protection Act 2018
• If you think you might have accidentally deleted something, tell the designated handler immediately

This is not about making people paranoid. It is about making sure no one inadvertently destroys data that the business is legally required to provide.

How to Deliver the Training

For a Small Business (Under 20 People)

You do not need an e-learning platform or an external trainer. Here is a practical approach:

Option 1: Team Meeting

• Dedicate 30-45 minutes of a team meeting to DSAR training
• Walk through the modules above using a simple presentation or printed handout
• Use real examples (anonymized) or create scenarios
• End with a brief quiz or scenario exercise to check understanding

Option 2: Written Guide + Walkthrough

• Create a one-page DSAR procedure document (who to contact, what to do, what not to do)
• Distribute it to all staff
• Walk each person through it in a 10-minute one-on-one
• Pin the procedure document somewhere visible (kitchen noticeboard, shared drive, Slack channel)

Option 3: Short Video

• Record a 10-15 minute video covering modules 1-3
• Share it with all staff
• Follow up with a brief Q&A session

The format matters less than the coverage. Pick whatever works for your team and actually do it.

For Medium-Sized Businesses (20-100 People)

At this size, you may want a slightly more structured approach:

• Tiered training — all staff get a 15-minute awareness session (modules 1-3, 5); the DSAR response team gets the full program
• Departmental sessions — tailor examples to the department (customer service gets customer DSAR examples, HR gets employee DSAR examples)
• Written policy — formalize your DSAR procedure in a policy document that staff can reference
• Knowledge check — a brief quiz after training to confirm understanding

Scenario-Based Training: What Would You Do?

The most effective DSAR training uses scenarios. Here are some you can use:

Scenario 1: The Casual Email

A customer emails your support inbox: "Hi, I've been a customer for 3 years and I'm curious about what information you've kept about me. Can you send me everything you have?"

Question: Is this a DSAR? What should you do?

Answer: Yes, this is a DSAR. Forward it to the designated handler immediately and record the date received.

Scenario 2: The Angry Ex-Customer

A former customer posts on your company's Facebook page: "I cancelled my account six months ago. What data are you still holding about me? I want to see it all."

Question: Is this a DSAR? What should you do?

Answer: Yes, this is a DSAR. It does not matter that it was posted on social media. Alert the designated handler immediately. Respond to the post acknowledging the request and ask them to email a specific address so you can process it securely (you do not want to disclose personal data via social media).

Scenario 3: The Employee Request

An employee approaches their line manager and says: "I want to see my personnel file and all the emails about me that have been sent between managers."

Question: Is this a DSAR? What should the manager do?

Answer: Yes, this is a DSAR. The manager should not try to handle it themselves. They should direct the employee to put the request in writing (for record-keeping) and forward it to the designated handler. They should not discuss the request with other managers or take any action regarding the employee's data.

Scenario 4: The Solicitor's Letter

You receive a formal letter from a law firm stating: "We act on behalf of [Name]. Pursuant to Article 15 of the UK GDPR, please provide all personal data you hold about our client within one calendar month."

Question: Is this a DSAR? What additional steps are needed?

Answer: Yes, this is a DSAR. Forward it to the designated handler. Additional step: verify that the solicitor is authorized to act on behalf of the individual (request a letter of authority or confirmation from the individual directly).

Scenario 5: The Deletion Request

A customer emails: "I want you to delete all my data immediately."

Question: Is this a DSAR?

Answer: No, this is an erasure request (right to be forgotten), not an access request. It is a different process. Forward it to the designated handler, who will process it under the appropriate procedure. However, if the person also asks to see their data before it is deleted, that would be a DSAR.

How Often to Train

Initial Training

All new employees should receive DSAR awareness training as part of their onboarding. This does not need to be day one — within the first month is fine. But it needs to happen before they start handling customer or employee communications.

Annual Refresher

Run a brief refresher at least once a year. This can be:

• A 15-minute team meeting recap
• An updated version of your procedure document
• A scenario-based quiz
• A brief presentation covering any changes in law or process

Trigger-Based Training

Additional training should happen when:

• You receive your first DSAR (use it as a real-world training moment)
• Your process changes
• A new law or regulation comes into effect
• You experience a failure (missed deadline, mishandled request) — use it as a learning opportunity
• New systems are introduced that hold personal data

Measuring Training Effectiveness

You do not need a complex assessment framework. For a small business, training is effective if:

1. Every team member can answer: "If someone asks for their data, who do I tell?" (and they give the right answer)
2. No DSARs go unrecognized. Track whether DSARs are being identified and escalated promptly.
3. No data is deleted after a request is received. The "do not delete" rule is understood and followed.

If those three things are happening, your training is working.

Building a Training Record

Keep a simple record of who has been trained and when. This is useful for:

• Demonstrating compliance if a regulator asks about your training program
• Identifying gaps (new hires who have not been trained yet)
• Planning refresher sessions

A spreadsheet with columns for name, date trained, and training type is sufficient.

The Cost of Not Training

We keep coming back to the same point because it is true: the vast majority of DSAR failures at small businesses are not caused by complex legal questions or inadequate resources. They are caused by the person who received the email not knowing what it was.

A 30-minute training session prevents this entirely. The cost is negligible. The protection is enormous.

References

• General Data Protection Regulation (GDPR): Full text, including Article 12 (response timelines), Article 15 (right of access), and Article 83 (penalties). GDPR full text
• California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text on the California Legislative Information site
• UK GDPR / Data Protection Act 2018: ICO guidance for organisations. ICO UK GDPR guidance

Get Your Compliance Foundation in Place

Our DSAR Compliance Guide includes training checklists, scenario templates, and a complete DSAR procedure document you can adapt for your team. It is everything you need to build a training program that actually works — without spending thousands on external consultants.

Download the DSAR Compliance Guide