How to Respond to a DSAR Request in 7 Simple Steps

DSARs have a habit of arriving at exactly the wrong moment. There’s never a convenient time to drop everything, track down personal data across systems, and make sure you’re responding correctly - and on time.

For some businesses, this might be the first DSAR they’ve ever received. For others, it’s a familiar request that still feels harder than it should. Either way, the challenge is not always the request itself, but the lack of a clear, reliable process to handle it.

In this guide, we’ll take you through everything you need to know to respond to a DSAR confidently, efficiently, and in line with GDPR requirements.

Short on time? Here’s a quick summary

1. Recognise the request
   DSARs don’t need to mention GDPR or follow a set format, they can come through any channel and still count.

2. Acknowledge and track timelines

   Log the request, assign ownership, and get clear on deadlines from the outset to avoid unnecessary pressure later.

3. Verify the requester’s identity
   Make sure you’re dealing with the right person, using proportionate checks based on the context and sensitivity of the data.

4. Clarify the scope if needed
   Where a request is broad or unclear, reasonable clarification helps you respond accurately and proportionately.

5. Locate and collect the data
   Identify which systems, tools, and vendors are relevant, and carry out a targeted, documented search.

6. Review and prepare the response
   Remove duplicates, redact third-party data, consider any applicable exemptions, and present information clearly.

7. Respond and document the outcome
   Share the response securely, explain what’s been provided, and keep a clear audit trail of how the DSAR was handled.

What is a DSAR (and why it matters)?

A Data Subject Access Request (DSAR) is a request from an individual asking to access the personal data an organisation holds about them. You’ll also hear this called a subject access request (SAR) or “right of access”.

Under the GDPR, individuals have the right to understand:

1. Whether their personal data is being processed
2. What personal data is held about them
3. Why it’s being processed
4. Who it’s shared with
5. How long it’s kept
   

Responding to a DSAR isn’t just about pulling together a bundle of data. It requires you to understand where personal data lives, how it flows through your systems, who’s responsible for it, and how decisions are made. When any of those things aren’t clear, DSARs tend to surface the gaps very quickly.

It’s not just about whether you respond on time, it’s about whether your response shows that personal data is being managed in a structured, accountable way.

Step One: How to recognise when a DSAR comes in

A DSAR doesn’t need to mention GDPR, subject access request or use any specific legal language. It doesn’t have to be submitted through a formal request form, or sent to a particular person. In practice, many DSARs look like simple, informal questions - for example, asking what information you hold about someone, or requesting a copy of their data.

Requests can also come through almost any channel, including email, customer support, HR, social media or even verbally.

This is why it’s important to have a shared internal understanding of what counts as a DSAR, and a clear route for escalating and handling requests once they’re received. Without that training and clarity, delays can creep in before the process has even started.

Having a central system to log DSARs as they come in can help ensure requests aren’t missed, regardless of which channel they arrive through.

Step Two: Where to start when responding to a DSAR request

Once a DSAR has been recognised, the first priority is to acknowledge it and get clear on timelines.

Under GDPR, organisations typically have one month to respond to a DSAR. In some cases, this can be extended - but extensions are limited, need a clear justification, and must be communicated to the individual. You can learn more about the time limits on the ICO website.

Acknowledging the request early helps set expectations and gives you space to manage the process properly. It also creates a clear record of when the request was received and how it’s being handled.

DSAR issues most often arise because requests aren’t logged properly, ownership isn’t clear, or the deadline isn’t tracked from the outset. Getting these basics right early on removes a lot of unnecessary pressure later.

Having a central system to capture DSARs from the moment they’re received, with clear ownership, tracked deadlines, and a single place to manage progress, makes it far easier to stay on top of requests and respond consistently - something Trust Keith is built to support.

Step Three: How to verify the DSAR requester’s identity

Before responding to a DSAR, you need to be comfortable that the request is coming from the right person.

In many cases, this is straightforward. If the request comes from a known contact point, you may already have enough information to proceed.

Where that isn’t the case, or where the data involved is more sensitive, it’s reasonable to carry out additional checks. This might include:

• asking the individual to confirm information you already hold (such as a previous address or customer reference number)
• replying via an existing, verified contact channel rather than a new one
• requesting limited supporting information, where necessary, rather than full identity documents

Step Four: How to locate and collect the data for a DSAR

Once the scope is clear, the next step is identifying where the relevant personal data actually sits.

In most organisations, personal data isn’t held in one place. Depending on the request, this may include both structured data (such as records held in systems) and unstructured data (such as emails, documents, or notes).

This is often where DSARs start to feel difficult, particularly if it’s unclear which systems are in use, who owns them, or how data can be accessed. It’s okay at this stage to pause and ask for more information or clarity if something isn’t clear. Doing so can help ensure your search is focused and proportionate.

Be deliberate about what you search and why. Use the scope of the request to guide which systems and data sources are relevant, involve the right owners early, and keep a clear record of where searches were carried out.

This step is far easier when you already have visibility into the systems and vendors where personal data is held, rather than relying on manual chasing each time a request comes in.

If questions come up as you’re working through this, about DSARs or anything else data protection-related, we run free monthly Office Hours where you can ask one of our experts directly.

Step Five: Reviewing and preparing the data

Before responding to a DSAR, the data you’ve collected needs to be reviewed carefully. You need to check that what you’re sharing is accurate, relevant, and appropriate to disclose.

In practice, this usually involves removing duplicate records, redacting third-party personal data, and ensuring that information is presented in a clear and understandable way.

It’s also the point at which any applicable exemptions should be considered. Exemptions do exist, but they’re specific and should be applied cautiously and consistently. Where data is withheld or redacted, it’s important to be clear on the reasoning and to record those decisions.

Step Six: How to respond to the DSAR requester

Once the data has been reviewed and prepared, the next step is to respond to the DSAR.

The response should be provided in a clear, accessible format, and delivered securely. Alongside the data itself, it’s good practice to explain what’s being shared, and to be transparent where any information has been withheld or redacted.

Where a DSAR has been clarified or narrowed during the process, it’s also helpful to reflect that in the response, so it’s clear how the request was interpreted and handled.

For many teams, writing the response can feel like the hardest part. It’s easy to overthink the wording, especially when some data is withheld or a request can’t be fulfilled in full.

We’ve put together a set of free DSAR response templates you can use as a starting point, covering common scenarios like full, partial, and refused responses.

Step Seven: Documenting the process and closing out the DSAR

Once the response has been sent, it’s important to record how the DSAR was handled.

This includes noting when the request was received, how identity was verified, how the scope was interpreted, which systems were searched, and when the response was issued. Keeping this information in one place creates a clear audit trail if the response is ever questioned.

With solutions like Trust Keith, this documentation is captured automatically as part of the DSAR workflow - creating a single, audit-ready record without the need for separate spreadsheets, inbox searches, or manual summaries.

The Easiest Way to Handle DSAR Requests

As this process shows, responding to a DSAR isn’t a single task. It’s a sequence of decisions, checks, searches, and documentation across multiple teams and systems.

When DSARs are handled ad hoc - via inboxes, spreadsheets, shared folders, or individual knowledge - things start to break down. Requests get missed. Deadlines are harder to track. Evidence ends up scattered across tools. And each new DSAR feels like starting from scratch.

This is where having a dedicated system makes a difference.

At Trust Keith, our intelligent platform includes a built-in DSAR workflow that brings each step of this process into one place - from intake and identity checks, through to data collection, review, response, and audit-ready documentation.

Alongside the platform, you get a dedicated DPO embedded into your team - someone who knows your business and supports you through not only DSARs, but can take privacy off your plate - for good.

Want to find out a bit more? Have a chat with one of our privacy experts.