Data Subject Access Requests (DSARs) - How To Review Them

Data Subject Access Requests (DSARs) - How To Review Them

The General Data Protection Regulation (GDPR) came into effect on 25 May2018 as a way to modernize personal information protection laws. Even a yearlater, a recent Thomson Reuters survey found businesses worldwide are struggling tocomply with the new legal framework.

Not only are consumers using data subject access requests (DSARs), butemployees too are using them to obtain copies of their personal informationfrom their current or previous place of employment. Lexology surveyed 90 UK-basedcompanies and found that 71 of thesurveyed companies had experienced an increase in the number of employee DSARssince 2018.

What is a DSAR?

Under the current privacy regulations such as the GDPR and CCPA, individuals can request that an organization disclose whatever information the organization has on them. Such requests are called Data Subject Access Requests (DSARs). Additionally, data subjects can request that their data be deleted and opt-out from future data collection. These requests can be made by or on behalf of an individual. The request does not have to be made in any particular form, and applicants do not necessarily have to include special terminology to get their requests processed. Since the GDPR does not mention anything on how to make a valid request, an individual can simply write an email saying, 'I want to see all the data you have on me.'

Handling DSAR emails can be time-consuming, tiring, and expensive, butfailure to comply with DSARs can result in serious regulatory, financial, andreputational consequences. Given the quick turnaround time ' data accessrequests must be fulfilled within one month of receipt ' it is necessary tohave a good process for handling DSARs. Here are tips for you to follow whenreviewing DSAR emails, so you get everything done on time without missing deadlines.

Verify the Completeness of the Access Request

The number of fraudulent requests is precisely why you should be extracareful when ensuring the validity of a request. Check whether the applicanthas enclosed all the details you need to locate the information requested. Theymust also supply sufficient data to verify their identity.

Normally, the applicant will fail to provide all the relevantinformation the first time around. The onus of writing to the individual andrequesting further information falls on you. Remember, you have a deadline for providingthis information, and you should be proactive if you want to meet thatdeadline.

Determine the Identity of the Subject

A recent study by an Oxfordresearcher found that the lawsintended to protect people from having strangers retrieve their personal data haveactually made it easier to access personal data and commit identity theft.

This is why businesses and companies should verify the identity of thedata subject before revealing any private details. However, although you obviouslyshould not provide copies of personal details to people who are not theapplicant, you cannot adopt an obstructive stance either.

According to the GDPR, you can take 'reasonable measures' to validatethe data subject's identity. Try determining their identity from theircircumstances, like their signature or their address. For instance, if therequested data is a reference, use the application form to find out more abouttheir identity ' does the address or signature on the application form matchwhat is provided in the access request?

If you need further verification of the identity of the data subject,you can resort to one of two common options:

  • Verification using past activities: Call or email the applicant and ask them two questions based on the data you have about them to confirm their identity, e.g. 'When did you create an account?', 'When did you last login?', personal details such as DOB, etc.
  • Verification using ID proof: Respond to the request email, asking them for a photocopy of their driver's license or passport. Verifying ID might sound more reliable however, malicious actors can easily create fake IDs digitally, hence verifying the individual using their past activities might be a better approach.

Narrow the Scope of the Data Access Request

If the scope of the DSAR is unclear, request more details from theapplicant about what they're looking for and where it is possibly located. Dothis prior to starting the search. If the scope of the request is too extensive' for example, 'Give me all my personal details' ' it is better to engage withthe applicant to narrow the scope of the request and increase the focus of yoursearch. Although a data controller is mandated by the GDPR to locate andretrieve all the requested details, the data subject might only be concernedabout some specific area; hence, reducing the scope will help both datasubjects and companies to save time and effort. Users need not wait longer andgo through a vast set of data to find what they were looking for.

Screen the Data

Not all personal details are up for disclosure. Once you've gathered allthe necessary information about the applicant, examine the data thoroughly toestablish whether it can be disclosed, especially the personal data of someother users. You may have to redact specific portions of a document which arenot allowed for disclosure.

Concluding remarks

Dealing with DSAR emails can severely cut into a company's time and resources. You might have to wade through hundreds of documents and emails to ensure you're not disclosing details that shouldn't be shared. However, by using the tips listed here, you can save your company time and money. Using oneDPO would significantly save you time and resources in resolving DSRs. Learn more at

Author: Rahul Sharma Sharma

Download Example (1000 Synthetic Data) for testing

Click here to download csv

Signup for Our Blog

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Request for Trail

Start Trial
No items found.

Prevent millions of $ of privacy risks. Learn how.

We take privacy seriously.  While we promise not to sell your personal data, we may send product and company updates periodically. You can opt-out or make changes to our communication updates at any time.