Get started

How to Handle a Data Subject Access Request (DSAR)

guide 8 min read Updated 2026-03-23

How to Handle a Data Subject Access Request (DSAR)

A Data Subject Access Request (DSAR) is a formal written request from someone asking you to hand over all the personal data you hold about them. You have 30 days to respond. Most SMEs have no process for this. When a DSAR arrives, it creates panic — a scramble to find the person’s data across multiple systems and deliver it on time.

You don’t need expensive tools or complex workflows. You need a documented process. This guide shows you how to build one in an afternoon.

Why This Matters

A DSAR is a legal right under UK GDPR (Article 15). People can use it to understand what data you hold, why you hold it, and who you’ve shared it with. It’s a transparency mechanism. It happens less often than you might think, but when it does, you need to respond within 30 days or face ICO enforcement.

The penalty for failing to respond to a DSAR is significant. If you ignore or seriously mishandle a DSAR, the person can file a complaint with the ICO. The ICO can issue an enforcement notice requiring you to respond. Non-compliance with an enforcement notice can trigger fines.

More practically: responding to a DSAR forces you to understand what data you actually hold. Most SMEs are surprised by how much they have about certain customers. A good DSAR process doubles as an audit of your own data.

What a DSAR Looks Like

A DSAR is usually a simple email or letter. It might be formal (“I hereby request all personal data held by your organisation”) or casual (“Can you send me everything you have about me?”). Either way, it’s a DSAR if the person is asking you to provide their personal data.

The person might contact you via email, a web form, postal mail, or even phone (though a written record is important). If someone says “Can you tell me what you know about me?”, that’s a DSAR. Respond to it accordingly.

They’ll usually need to provide:

  • Their name
  • Some information to help you locate their data (account number, email, customer reference)
  • Sometimes verification (proof of identity)

They don’t have to use the words “DSAR” or “Data Subject Access Request” for it to be one.

Step 1: Designate a Contact and Publish It

Who receives DSARs? This could be:

  • The founder/director
  • An office manager
  • A customer service representative
  • A general inbox (info@, hello@)

Once decided, document it and make it accessible. Include the contact in your privacy policy: “To request a copy of personal data we hold about you, contact [email address] with the subject line ‘Data Subject Access Request’.”

Having a published contact means DSARs come to a predictable place. You won’t miss one because it landed in the wrong inbox.

Step 2: Log Receipt

When a DSAR arrives, log it immediately. Create a simple spreadsheet or document:

Date ReceivedNameRequest FromStatusResponse DateNotes
2026-03-20Jane Smith[email protected]In progress2026-04-19Email DSAR

Record:

  • The date you received the request
  • The person’s name
  • Their contact details
  • The status (received, verifying identity, compiling data, responded)
  • Your target response date (30 days from receipt)
  • Any notes (unusual requests, complications, etc.)

This log is your safety net. If you miss a deadline, you’ve documented when you received the request. If they claim you never responded, you have a record. If you need to explain to the ICO what happened, this log shows you took the request seriously.

Step 3: Verify Identity

Before you hand over data, verify the person is who they claim to be. This is important — you don’t want to give Jane Smith’s data to someone pretending to be Jane Smith.

Verification approaches:

  • Ask for ID: Request a photocopy of a passport or driving licence (redact the parts you don’t need for verification, like the passport number).
  • Ask for proof of address: A recent utility bill or bank statement with the person’s name and address.
  • Use information you know about them: If it’s a customer, ask for their customer reference number or the date of their last purchase. “What was the date you first contacted us?” If they can answer correctly, you’re likely verifying correctly.

This doesn’t need to be perfect — the standard is “reasonable steps to verify identity.” You’re protecting against obvious fraud, not solving a criminal investigation.

For low-risk requests (a newsletter subscriber asking for their email address), light verification is enough (ask them to confirm their email address). For high-value data (someone asking for their HR file or detailed transaction history), stricter verification is appropriate (ask for ID).

Step 4: Locate All Personal Data

This is the time-consuming step. You need to find all personal data you hold about this person. Check:

  • Email: Search your email system for messages from/about this person
  • CRM or contact management: If you use HubSpot, Salesforce, Pipedrive, or similar, search for their profile
  • Financial records: Payment receipts, invoices, refunds
  • Documents: Contracts, quotes, notes, calls
  • Analytics: If they’re a customer, do you have records of their activity (purchase history, support tickets)?
  • Backup systems: Some data might be in old backups or archived systems
  • External services: If you’ve shared data with service providers (payment processor, email marketing platform, CRM), check with them too. They may hold data about this person and be required to disclose it to you for your response.

For each piece of data, note:

  • What it is
  • Where you found it
  • Why you hold it (legal basis, business reason)

This usually takes a few hours for a typical SME customer.

Step 5: Compile and Format

Gather all the data you’ve found and compile it in a portable, readable format. Options:

  • PDF document with all the information collated
  • Spreadsheet with structured data (one row per transaction, document, etc.)
  • Email with attachments
  • Word document

The person has the right to receive data in a commonly used format that allows them to easily transfer it (data portability). Avoid proprietary formats. Plain text, PDF, Excel/CSV, or Word are all fine.

Include context where it helps. If you have a transaction history, it’s clearer if formatted as a table with columns (date, amount, description) rather than a stream of text.

Step 6: Write a Brief Covering Letter

Include a short covering letter explaining:

  • What data you’re providing
  • When it was last updated
  • How to contact you if they have questions

Example:

Dear Jane,

Thank you for your Data Subject Access Request dated [date]. I’m providing all personal data we hold about you as of [date].

The data includes:

  • Your profile (name, email, address)
  • Purchase history (3 orders in [date range])
  • Support tickets (2 tickets)
  • Analytics data (visit records from [date range])

If you have questions about any of this data, or if you believe we’re holding additional information, please reply to this email.

Best regards, [Your name]

Step 7: Send and Log Response

Send the data and log the response date in your DSAR log. Keep a copy of what you sent — you may need to refer to it if the person has questions.

Once sent, mark the request as “responded” in your log. Move the log entry to a completed section if you maintain one.

Step 8: Handle Additional Requests

The person might follow up asking questions. Respond helpfully. They might ask you to correct inaccurate data (rectification right), delete data (erasure right), or explain why you hold something. These are separate rights, but they often come up in response to a DSAR.

If they ask you to correct or delete data, handle those requests separately and within their own deadlines (typically 30 days).

Common Complications

They ask for data you don’t easily have: If you partner with external services that hold data about them, you may need to request that data from the service provider. Contact the provider (Stripe, Mailchimp, Google Analytics, etc.) and ask them to provide data about this person. Most have a process for this. Gather their response and include it in your response to the DSAR. You still need to respond within 30 days, so do this immediately.

They ask for data that’s sensitive or third-party: Sometimes a DSAR includes data that’s very sensitive (health records, family relationships, detailed transaction history). You can disclose this — GDPR doesn’t exempt sensitive data from the access right. But you can redact information about third parties if disclosing it would violate their privacy (e.g., if your notes about their complaint mention another person, you might redact that other person’s name).

They ask for something you can reasonably interpret differently: “Send me everything” is a DSAR. “Send me everything about my competitors” is potentially frivolous (you don’t hold competitor data) — but if there’s any ambiguity, ask for clarification rather than assuming it’s frivolous.

How to Check It Worked

Once you’ve sent your response, revisit your DSAR log and verify:

  • Request received date is recorded
  • Verification steps are documented
  • Data location search was thorough
  • Response sent within 30 days
  • Response includes a covering letter
  • Copy of response is retained
  • Person confirmed receipt and had no additional questions (or asked follow-up questions that were handled)

If you’ve ticked all these, you’ve handled the DSAR defensibly.

What’s Next

Build your DSAR log now (a simple spreadsheet). Designate a contact and publish it in your privacy policy. Create a simple document that outlines these steps for your team.

Most SMEs receive a DSAR rarely (zero to two per year). But when one arrives, having a process means you respond calmly and within the deadline.

If you want to understand the broader context of data subject rights, the privacy policy requirements guide covers how to disclose these rights to your customers. If you need to handle other data subject rights (rectification, erasure, portability, objection), they follow similar processes — identify the data, verify the request, execute it, and log it.

A DSAR isn’t something to fear. It’s an opportunity to understand what data you hold and demonstrate transparency to your customers. Handle it calmly and on time, and you’ve satisfied both GDPR and the person’s legitimate right to know what you know about them.

Last updated: 2026-03-23

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Screen your website →

More from this hub

UK GDPR vs EU GDPR — What's Actually Different

UK GDPR and EU GDPR are similar but diverging. If you have UK and EU customers, you need to understand the differences. Here's what's changed since Brexit.

Read article →

What UK Research Tells Us About SME Privacy Policies

What authoritative UK research reveals about SME privacy policy compliance. We've compiled findings from GDPR enforcement data, the ICO, and industry surveys to show you what's working and what's broken.

Read article →

Privacy Policy Requirements — What Must Be Included Under UK GDPR

A complete privacy policy must cover 12 specific requirements under UK GDPR. This guide explains what each requirement means and how to audit yours.

Read article →