How to Respond to a DSAR: Step-by-Step Process

The DSAR Response Process, Step by Step

You have received a request from someone asking for their personal data. Maybe it came from a customer, an employee, or a former client. Maybe they used the term "DSAR" or maybe they just said "I want to see what data you have on me."

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the GDPR (in particular Articles 12 and 15), the CCPA (Cal. Civ. Code §§ 1798.100–1798.199.100), and the UK GDPR / Data Protection Act 2018, as of the date of publication.

Either way, you have a legal obligation to respond — and a deadline that started ticking the moment the request arrived.

This guide walks you through the entire process, from the moment a request lands in your inbox to sending your final response. No theory, no preamble. Just the practical steps.

If you are not sure what a DSAR is or whether it applies to you, start with our plain-English DSAR guide. If you need to know your exact deadline, see DSAR response deadlines. This article assumes you know what you are dealing with and need to know what to do about it.

Step 1: Recognize the Request

This sounds obvious, but it is the step where most small businesses fail. A DSAR does not have to be labeled as a DSAR. The person does not need to cite any specific law. They do not need to use your form.

Any of these are valid DSARs:

"Can you send me all the information you have about me?"
"I want to exercise my right of access under GDPR."
"What data do you hold on me?"
"Please provide me with a copy of my personal data."
"I'd like to see my file."

If the core of the message is "tell me what data you have about me" or "give me my data," it is a DSAR. Treat it as one.

What to Train Your Team On

Every person in your organization who might receive a request — front desk, customer service, HR, the general email inbox — needs to know two things:

How to recognize a DSAR (it is any request for personal data, regardless of format or wording)
Who to escalate it to immediately

That is it. They do not need to know the full process. They just need to know enough to not let the request sit in an inbox for three weeks before anyone notices. For more on this, see our DSAR training guide.

Step 2: Log the Request and Start the Clock

The moment you receive a DSAR, record it. Your log should capture:

Date received — this is when your deadline starts
How it was received — email, letter, phone call, in person, etc.
Who made the request — name and contact details
What they asked for — all data, specific data, a particular time period, etc.
Your deadline — calculate this immediately based on the applicable law

Under GDPR and UK data protection law, you have 30 calendar days (GDPR Article 12(3)). Under CCPA, you have 45 calendar days (Cal. Civ. Code § 1798.130(a)(2)). Mark the deadline in your calendar and set a reminder for a week before.

Use a Tracking System

This does not need to be fancy. A spreadsheet works fine for a small business. The columns you need:

Date Received	Requester Name	Request Method	Identity Verified?	Deadline	Status	Date Responded

The point is to have a single place where you can see every DSAR you have received, where it stands, and whether you are about to miss a deadline. When you are juggling the request alongside everything else you do, this tracking is what keeps you from dropping the ball.

Step 3: Acknowledge the Request

Send a brief acknowledgment to the requester confirming that you have received their request and are processing it. This is not legally required in all cases, but it is good practice for several reasons:

It shows you are taking the request seriously
It gives you an opportunity to ask for identity verification or clarification
It sets expectations on timeline
It creates a paper trail

A simple acknowledgment looks like this:

Thank you for your request dated [date]. We confirm that we have received your request for access to your personal data and are processing it in accordance with applicable data protection law. We aim to respond within [30/45] days. If we need any further information from you to locate your data or verify your identity, we will be in touch shortly.

Keep it short. Keep it professional. Move on to the next step.

Step 4: Verify the Requester's Identity

Before you hand over anyone's personal data, you need to be reasonably confident that the person asking for it is who they say they are. Releasing data to the wrong person is a data breach — which is significantly worse than a late response.

How much verification you need depends on the context:

Low-Risk Scenarios (Light Verification)

A customer emails you from the email address on their account — the email address itself is sufficient verification
An employee submits a request through your internal HR system — their authenticated login is sufficient
A person submits through your website while logged into their account

Medium-Risk Scenarios (Moderate Verification)

Someone emails from an address you do not recognize claiming to be a customer — ask them to confirm details you hold (account number, date of birth, address on file)
A former employee contacts you — verify against the details in their personnel record

High-Risk Scenarios (Stronger Verification)

A third party claims to be acting on behalf of the data subject — request written authorization and verify the data subject's identity separately
The data involved is sensitive (health data, financial data) — you may need a copy of photo ID
You have no prior relationship with the requester

The principle is proportionality: the more sensitive the data, the more verification you should require. But do not use verification as a barrier. Asking a long-standing customer who emailed from their registered address to provide their passport is disproportionate and will look like you are trying to discourage the request.

For a complete guide to getting this right, see our DSAR identity verification guide.

Does Verification Pause the Clock?

Under GDPR, the ICO's position is that if you promptly request verification, the response period can practically be treated as starting from when you receive the verified identity. But this is not a formal pause — you need to request verification quickly, not sit on the request for two weeks and then ask for ID.

Under CCPA, you have specific verification requirements depending on the type of data being requested, and the clock starts when you receive the initial request regardless.

The safe approach: request verification within 2-3 business days of receiving the request, and do not rely on the verification period to extend your effective deadline by more than a few days.

Step 5: Search for the Data

This is typically the most time-consuming step, and it is where having a data inventory pays for itself many times over.

Where to Search

You need to search everywhere you might hold personal data about the requester. For most small businesses, that includes:

Digital Systems:

CRM (customer relationship management software)
Email — search for the person's name and email address across all mailboxes that might contain relevant correspondence
Accounting and invoicing software
HR and payroll systems (for employee requests)
Cloud storage (Google Drive, Dropbox, OneDrive, SharePoint)
Project management tools (Asana, Trello, Monday, etc.)
Customer support/helpdesk systems
Marketing platforms (Mailchimp, HubSpot, etc.)
Website analytics (if you can identify individuals)
Access logs and security systems
Backup systems (if reasonably accessible)

Physical Records:

Paper files and filing cabinets
Printed correspondence
Physical HR records

Third Parties:

Data processors acting on your behalf (they hold your data, but you are the controller)
External service providers who may hold data you have shared

How Thorough Does the Search Need to Be?

The standard is "reasonable and proportionate." You need to make a genuine effort to find all the data, but you are not expected to perform a forensic investigation of every system you have ever used.

Practically speaking:

Search all systems where the person's data is likely to exist
Use the identifiers you have (name, email, customer ID) to search across systems
Check both active and archived data
Do not forget about data in unstructured formats (emails, documents, notes)

Document your search — note which systems you searched, what terms you used, and what you found. If the requester later challenges your response, you want to show that your search was thorough.

What If You Hold a Huge Amount of Data?

If the search returns a massive volume of data, you can ask the requester if they want to narrow their request. Many people are looking for something specific and will be happy to tell you what. But if they want everything, you must provide everything.

For genuinely complex requests — hundreds of emails, data across dozens of systems, multiple years of records — this is where the deadline extension comes in. If you need more time, tell the requester within the original deadline period and explain why.

Step 6: Review and Redact

Before you send anything, you need to review the data for two things:

Third-Party Data

The personal data you hold about one person will often contain information about other identifiable individuals. Emails between the requester and other customers. Records that mention other employees. Notes that reference third parties.

You must not disclose personal data about other individuals unless:

The other person has consented to the disclosure, or
It is reasonable to disclose without their consent

In most cases, you will need to redact (remove or black out) third-party information. This includes:

Names of other individuals (unless it is reasonable to include them, such as the name of the employee who handled the requester's case)
Contact details of other people
Any personal data about other individuals that is not also the requester's data

Exemptions

Check whether any exemptions apply to the data you have found. Common exemptions include:

Legal professional privilege — communications with your lawyer about legal advice
Management forecasting — information about your business plans where disclosure would prejudice those plans
Confidential references — references you have given (not received) about the person
Ongoing regulatory investigations — where disclosure might prejudice the investigation

Exemptions are narrow and specific. They do not give you blanket permission to withhold data you would rather not disclose. For the full rundown, see our guide on DSAR exemptions.

Document Your Decisions

For every piece of data you redact or withhold, note why. If you apply an exemption, record which exemption and how it applies. This protects you if the requester challenges your response or complains to a regulator.

Step 7: Compile the Response

Your response needs to include two things:

1. The Personal Data

Provide the data in a commonly used, machine-readable format if the request was made electronically (GDPR Article 12(1)). In practice, this usually means a PDF or a structured document, not a raw database export. If the data comes from multiple systems, organize it logically — group it by system or by category.

2. Supplementary Information

Under GDPR (GDPR Article 15(1)), you must also provide:

The purposes of your processing
The categories of personal data you hold
The recipients (or categories of recipients) you have shared the data with
Your retention periods or the criteria for determining them
The individual's rights (rectification, erasure, restriction, objection)
Their right to complain to a supervisory authority
The source of the data (if not collected from the individual directly)
Information about any automated decision-making or profiling

Much of this is boilerplate that you can include in a standard cover letter. You do not need to write it from scratch for each request.

For a detailed guide on structuring your response and what to include in each section, see our DSAR response templates guide.

Formatting Tips

Use a clear cover letter that explains what you are providing and references the supplementary information
Organize the data logically (by system, by category, or chronologically)
Use tables where appropriate — they are easier to read than walls of text
Label redacted sections clearly (e.g., "[Third-party personal data removed]")
If the volume is large, include a table of contents or index

Step 8: Send the Response Securely

You are sending personal data, so you need to do it securely. How you send it depends on the channel:

Email

Use password-protected attachments and send the password separately (by text or phone)
Or use an encrypted email service
Do not send unencrypted personal data as an email attachment

Postal Mail

Use recorded or tracked delivery
Mark the envelope for the attention of the requester only

Secure Portal

If you have one, a secure download portal is the cleanest option
Send the requester a link with time-limited access

In Person

If the requester wants to collect the data in person, verify their identity when they arrive

Whatever method you use, confirm delivery and keep a record of when and how you sent the response.

After You Send the Response

Your obligations do not end when you hit send.

Keep Records

Maintain a record of:

The original request
Your acknowledgment
Any identity verification steps
Your search (which systems, what terms)
Any redactions or exemptions applied (and why)
The response you sent
The date you sent it
Proof of delivery

Keep these records for at least as long as the limitation period for any potential claim — typically six years in England and Wales, though this varies by jurisdiction.

Be Prepared for Follow-Up

The requester may come back with questions:

"Why is [specific data] not included?"
"I know you have [specific data] — where is it?"
"Can you explain what [data field] means?"

Respond to these promptly and honestly. If you missed something, provide it. If you applied an exemption, explain which one and why (to the extent you can without undermining the exemption itself).

Learn From the Experience

After each DSAR, ask yourself:

Did we respond on time?
Was any step harder than it should have been?
Did we know where to find all the data, or were there gaps?
Could we improve our process for next time?

Use each DSAR as an opportunity to tighten your process. The second one is always easier than the first.

Quick Reference: The DSAR Response Timeline

Here is the full process condensed into a timeline:

Day 1 (Request Received):

Log the request
Start the deadline clock
Send acknowledgment
Request identity verification if needed

Days 2-5:

Verify identity
Begin searching for data

Days 5-20:

Complete data search across all systems
Review and redact third-party data
Check for applicable exemptions
Compile response

Days 20-25:

Final review of response
Quality check — is everything included? Is third-party data properly redacted?

Day 25-30 (or 45 for CCPA):

Send the response securely
Record the completion date

This timeline gives you buffer room. Do not plan to send on day 30 — things go wrong, people get sick, systems go down. Aim to have the response ready at least five days before the deadline.

What If You Cannot Respond in Time?

If you realize you are going to miss the deadline, you have options — but you need to act before the deadline passes, not after.

Under GDPR and UK law, you can extend by up to two months (to a total of three months) if the request is complex or you have received multiple requests from the same person (GDPR Article 12(3)). You must:

Notify the requester within the original one-month deadline
Explain why you need the extension

Under CCPA, you can extend by one additional 45-day period (90 days total), and you must notify the requester within the original 45 days (Cal. Civ. Code § 1798.130).

What you should never do: simply go silent. Missing a deadline without communication is how routine DSARs become regulatory complaints. For a full look at what happens when things go wrong, see what happens if you ignore a DSAR.

References

General Data Protection Regulation (GDPR): Full text, including Article 12 (Transparent communication and response timelines) and Article 15 (Right of access). GDPR full text | Article 12 | Article 15
California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text on the California Legislative Information site
UK GDPR / Data Protection Act 2018: ICO guidance on the right of access. ICO right of access guidance

Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.

Get Your Templates Ready

Do not wait until you receive a DSAR to figure out how to respond. Download our DSAR Response Templates to get pre-built acknowledgment letters, response cover letters, and data disclosure formats that you can customize for your business.

Download the DSAR Response Templates