What Is a DSAR? The Plain-English Guide for Small Businesses

What Does DSAR Stand For?

DSAR stands for Data Subject Access Request. It is a formal request from an individual — a customer, employee, website visitor, or anyone else whose personal data you hold — asking you to tell them what data you have about them and, in most cases, to hand over a copy of it.

That is the whole idea. Someone says, "What do you know about me?" and the law says you have to answer.

If you run a business that collects personal data (and you almost certainly do — email addresses count), DSARs are something you need to understand. Not because they are complicated, but because ignoring them is expensive and entirely avoidable.

This guide covers what DSARs are, which laws create them, what data is in scope, and what deadlines you are working with. No legal jargon, no hand-wringing. Just the practical stuff.

The Simple Definition

A DSAR is a legal right that lets people ask any organization — businesses, charities, government agencies — to confirm whether they hold personal data about them and, if so, to provide a copy of that data along with certain supplementary information (like why you collected it and who you shared it with).

Think of it as a transparency mechanism. Privacy laws around the world give individuals the right to know what is happening with their information. The DSAR is the tool they use to exercise that right.

You might also see this called a Subject Access Request (SAR), particularly in the UK. Same thing, different name. If you want the full rundown on that terminology, see our guide on what a subject access request is.

Who Can Make a DSAR?

Anyone whose personal data you process. In privacy law, these people are called data subjects — hence "Data Subject Access Request."

In practical terms, that means:

• Customers and clients — past and present
• Employees — yes, your own staff can DSAR you (this is more common than you think — see our guide on employee DSARs)
• Job applicants — even people you did not hire
• Website visitors — if you collect cookies, IP addresses, or form submissions
• Contractors and freelancers — anyone you hold data about
• Third parties acting on someone's behalf — solicitors, parents of minors, or anyone with proper authorization

The key point: the person does not need to be a current customer or have an ongoing relationship with you. If you have their data, they can ask for it.

Can Anyone Make a Request, or Just People in Certain Countries?

This depends on which law applies, and which law applies usually depends on where the individual is located or where your business operates — sometimes both.

The short version:

• If you have customers in the EU, GDPR applies to those individuals.
• If you have customers in the UK, the UK GDPR and Data Protection Act 2018 applies.
• If you do business in California, the CCPA/CPRA applies to California residents.
• If you operate in Canada, PIPEDA (or equivalent provincial legislation) applies.
• Many other countries and US states have their own versions — Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and more.

You do not need to memorize every regulation. What matters is this: if you collect personal data from people, there is almost certainly a law somewhere that gives them the right to ask for it. Plan accordingly.

Which Laws Create DSAR Rights?

Let's look at the major ones that affect small businesses.

GDPR (EU)

The General Data Protection Regulation is the big one. It applies to any business that processes personal data of people in the European Union, regardless of where the business is based. Article 15 gives individuals the right of access (GDPR Article 15).

Under GDPR, when someone submits a DSAR, you must provide:

• Confirmation that you process their personal data
• A copy of the personal data itself
• The purposes of the processing
• The categories of data you hold
• Who you have shared the data with (or categories of recipients)
• How long you plan to keep the data (or the criteria for deciding)
• Information about their other rights (erasure, rectification, etc.)
• The source of the data, if you did not collect it directly from them
• Whether you use automated decision-making or profiling

Deadline: 30 calendar days from receiving the request (GDPR Article 12(3)), extendable by up to 60 additional days for complex requests (90 days total).

CCPA / CPRA (California)

The California Consumer Privacy Act, as amended by the California Privacy Rights Act, applies to businesses that meet certain thresholds and process data of California residents. It gives consumers the right to know what personal information a business has collected about them (Cal. Civ. Code § 1798.100).

Under CCPA, when someone submits a request to know, you must disclose:

• The categories of personal information collected
• The specific pieces of personal information collected
• The categories of sources
• The business or commercial purpose for collecting
• The categories of third parties the data was shared with

Deadline: 45 calendar days from receiving the request (Cal. Civ. Code § 1798.130(a)(2)), extendable by an additional 45 days (90 days total).

UK Data Protection Act 2018 / UK GDPR

Essentially the same framework as EU GDPR, retained in UK law after Brexit. The requirements and timelines are virtually identical (UK GDPR Article 15).

Deadline: 30 calendar days (UK GDPR Article 12(3)), extendable to 90 for complex requests.

PIPEDA (Canada)

The Personal Information Protection and Electronic Documents Act gives individuals the right to access their personal information held by organizations. It is less prescriptive than GDPR about what supplementary information you must provide, but the core right is the same.

Deadline: 30 days. Extensions are possible but less clearly defined than under GDPR.

For a detailed comparison of all these deadlines, including when the clock starts and what happens when you miss them, see our full guide on DSAR response deadlines.

What Data Is Covered by a DSAR?

This is where small businesses often underestimate the scope. "Personal data" is not just a name and email address. It is any information that relates to an identifiable individual.

Here is a non-exhaustive list of what might be in scope:

Customer Data

• Names, email addresses, phone numbers, physical addresses
• Purchase history and transaction records
• Customer service correspondence (emails, chat logs, call notes)
• Account settings and preferences
• Website activity and browsing history (if linked to an individual)
• Cookie data and tracking identifiers
• Marketing preferences and consent records
• Loyalty program data
• Reviews and feedback

Employee Data

• Employment contracts and offer letters
• Payroll records and bank details
• Performance reviews and appraisals
• Disciplinary records
• Emails sent and received (where the person is identifiable)
• CCTV footage (if identifiable)
• Training records
• Attendance and leave records
• Internal notes and manager comments about the individual

Operational Data

• CRM records and notes
• Invoices and billing records
• IP addresses and access logs
• Data shared with third parties (and records of that sharing)
• Consent records

The principle is simple: if it is about the person and they are identifiable from it, it is in scope. This includes data in emails, spreadsheets, databases, cloud services, paper files, backups, and anywhere else you store information.

What About Data You Did Not Collect Directly?

Yes, that counts too. If you bought a mailing list, received data from a partner, or got information from a public source and stored it, that data is in scope for a DSAR. The individual has the right to know where you got it from, which is one of the supplementary details GDPR requires you to provide.

What a DSAR Looks Like in Practice

There is no required format for a DSAR. The person does not have to use the word "DSAR" or cite any specific law. They do not have to fill in a form or use a template.

A DSAR can arrive as:

• An email saying "I want to know what data you have about me"
• A letter in the post
• A verbal request (yes, really — though asking them to put it in writing is reasonable)
• A message through your website contact form
• A request through social media
• A formal letter from a solicitor

The important thing is recognizing it when it arrives. If someone is asking about their personal data, treat it as a DSAR. Do not get hung up on formalities — the law does not.

This is one of the main reasons DSAR training for your team matters. The person answering your general inbox needs to know that "Can you tell me what information you hold about me?" is not a casual question — it is a legal request with a deadline.

Common Misconceptions About DSARs

"We're too small to worry about DSARs"

Size does not matter for most privacy laws. GDPR applies to any organization processing personal data of EU residents, regardless of size. CCPA has revenue and data volume thresholds, but many small businesses meet them. Even if you fall below CCPA thresholds, other state laws may apply. And employee DSARs can hit any business with even one employee.

"We only need to check our database"

Wrong. You need to search everywhere you hold personal data. That includes email inboxes, shared drives, cloud storage, paper files, third-party services (your CRM, your email marketing tool, your accounting software), backups, and anywhere else data might live. The search needs to be reasonable and proportionate, but "we only checked one system" is not going to fly.

"We can just ignore it if it seems unreasonable"

You can refuse requests that are "manifestly unfounded or excessive" under GDPR, but the bar for this is high, and you still need to respond explaining why you are refusing. Ignoring a DSAR entirely is one of the worst things you can do. See what happens if you ignore a DSAR for the grim details.

"The person has to prove why they want the data"

No. They do not need to give you a reason. The right of access is unconditional (with narrow exceptions). You cannot ask "Why do you want this?" as a condition for responding.

"We can charge a fee"

Under GDPR, the first copy must be free (GDPR Article 15(3)). You can charge a "reasonable fee" for additional copies or if the request is manifestly unfounded or excessive. Under CCPA, you cannot charge a fee at all. In practice, most DSARs should be handled at no charge to the requester.

What You Need to Do When You Receive a DSAR

Here is the high-level process. For the full step-by-step walkthrough, see our detailed guide on how to respond to a DSAR.

1. Recognize the request — Train your team to spot DSARs even when the person does not use that term.
2. Log it and start the clock — Record when you received it. Your deadline starts now.
3. Verify the person's identity — You need to be confident you are giving data to the right person. See our identity verification guide for how to do this properly.
4. Search for the data — Check all your systems, not just the obvious ones.
5. Review and redact — Remove information about other identifiable individuals (third-party data) and check for any applicable exemptions.
6. Compile your response — Put together the data and the required supplementary information.
7. Send the response — Securely, within the deadline, in a commonly used electronic format.

How to Prepare Before You Get Your First DSAR

The worst time to figure out your DSAR process is when a request lands in your inbox. Here is what to do now:

Know Where Your Data Lives

Create a simple record of what personal data you collect, where it is stored, and who has access. This does not need to be a 50-page document. A spreadsheet listing your systems (CRM, email, accounting, HR software, etc.) and what personal data each one holds will get you most of the way there.

Set Up a Process

Decide who is responsible for handling DSARs. In a small business, this might be the owner or office manager. Document the basic steps so anyone can follow them. Even a one-page checklist is better than nothing.

Train Your Team

Everyone who might receive a DSAR — which includes anyone who reads customer emails or answers the phone — needs to know what one looks like and what to do with it. Our guide on DSAR training covers exactly what to teach them.

Have Templates Ready

You do not need to draft a response from scratch every time. Having a DSAR response template ready saves time and ensures you do not miss required information.

DSARs Are Not Going Away

The trend in privacy law is more rights, not fewer. New US state laws are passing every year. The EU continues to strengthen enforcement. The UK's ICO is increasingly active. And as public awareness of data rights grows, more people are exercising them.

For a small business, the smart move is to get a basic process in place now, before you are scrambling to respond to a request with a ticking deadline. It does not have to be complicated. It just has to exist.

References

• General Data Protection Regulation (GDPR): Full text, including Article 15 (Right of access by the data subject). GDPR full text | Article 15
• California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text on the California Legislative Information site
• CCPA Regulations: Title 11, Division 6, California Code of Regulations. Final CCPA regulations (California Office of the Attorney General)
• UK GDPR / Data Protection Act 2018: ICO guidance on the right of access. ICO right of access guidance

Get Started With Your DSAR Process

If you want a practical, step-by-step framework for handling DSARs in your business, download our DSAR Compliance Guide. It covers everything in this article and more, including checklists, timelines, and decision trees — all written for small businesses, not privacy lawyers.

Download the DSAR Compliance Guide