Steps Involved In A Data Subject Access Request (DSAR)

Discover the steps involved in a Data Subject Access Request (DSAR) with Protecto.
  • Last Updated: April 1, 2025
  • 3 min read
  • Last Updated: April 1, 2025
  • 3 min read
Written by
Protecto
Leading Data Privacy Platform for AI Agent Builders

Table of Contents

Share Article

What is DSAR?

With the advent of GDPR, a term DSAR was introduced. A Data Subject Access Request (DSAR) refers to a petition by a customer to an organization regarding personal data. DSARs give individuals the right to discover what kind of data an organization is holding about them, why the organization is holding that data, and allow them to request the organization to delete that data. The organization receiving this request is expected to complete it within the stipulated time. The steps involved in a Data Subject Access Request (DSAR) are listed below.

Source: Wirewheel

A data subject can make his/her request via email or an online form. The company then needs to verify the requestor’s identity and existence within their data ecosystem and track the application through to resolution within the required time.

Types of Requests Received via DSAR

The Data Subject Access Request (DSARs) typically includes:

  • Contactinformation of the data subject (name, email, and phone number).
  • Delete theinformation of the data subject.
  • Information on where the individual’s data is shared.
  • Data Subjects can add any context to their request.

Steps Involved in a Data Subject Access Request (DSAR)

Source: Wirewheel

1. Accepting the Request

Seamless access to all data sources is a prerequisite for building an inventory of personal data to evaluate your privacy risk exposure and enforce privacy rules. The companies accept requests from the data subjects via online forms or emails.

2. Verifying the Identity

Checking the requestor’s identity could be done by asking to see a photo ID, such as a passport or driving license or a utility bill, or request a face-to-face meeting with the data subject.

3. Identifying the Type of Request

Once the validation is completed, the data protection officer identifies the type of request.

4. Assigning the Request

Based on the type of requests received by the DPO, the request is forwarded to an analyst. The analyst is chosen based on the nature of the personal data requested by the data subject, the rights associated with user groups.

5. Collection of Data

The personal data is collected and reviewed across all records holding information based on the type of data subject request.

6. Packaging the Data

Depending on the type of data subject request, the format of the data is decided. The data obtained from various third-party Data Processors need to be organized in the requested format and reviewed by the DPO.

Suggested Read: Shadow AI: The Emerging, Invisible Problem Putting Your Company’s Data at Risk

7. Add Additional Information

DPOs must make sure the information is complete and comprehensive. For complex requests, the deadlines under GDPR and CCPA can be extended, provided that you advise the requestor of the reasons for extending the time scale before the expiry of the initial 30 days.

8. Deliver the Data

The last step is to share the response with the data subject ensuring you reference the original request in your response. Always ensure you keep an exact copy of all the information sent and keep a record of your response in your Data Subject Access Request log.

9. Document the DSARs

The final step in your journey to GDPR compliance involves auditing. All communications and activities should roll into a reporting dashboard and audit trail to demonstrate accountability, compliance, and progress towards resolving requests.

Protecto
Leading Data Privacy Platform for AI Agent Builders
Protecto is an AI Data Security & Privacy platform trusted by enterprises across healthcare and BFSI sectors. We help organizations detect, classify, and protect sensitive data in real-time AI workflows while maintaining regulatory compliance with DPDP, GDPR, HIPAA, and other frameworks. Founded in 2021, Protecto is headquartered in the US with operations across the US and India.

Related Articles

  • AI Privacy, AI Security, Data De-Identification, Data Masking

Why Preserving Data Structure Matters in De-Identification APIs

Whitespace, hex, and newlines are part of your data contract. Learn how “normalization” breaks parsers and RAG chunking, and why idempotent masking matters....
  • 5 min read
  • AI Privacy, AI Security, AI Trust

Regulatory Compliance & Data Tokenization Standards

As we move deeper into 2025, regulatory expectations are rising, AI workloads are expanding rapidly, and organizations are under pressure to demonstrate consistent, trustworthy handling of personal data. Learn how tokenization reduces risk, simplifies compliance, and supports scalable data operations. ...
  • 7 min read
  • AI Compliance

GDPR Compliance for AI Agents: A Startup’s Guide

Learn how GDPR applies to AI agents, what responsibilities matter most, and the practical steps startups can take to stay compliant with confidence. Think of it as a blueprint for building trustworthy AI without slowing innovation....
  • 10 min read
Protecto SaaS is LIVE! If you are a startup looking to add privacy to your AI workflows
Learn More