Data Subject Access Requests (DSARs) – How to Review Them

The General Data Protection Regulation (GDPR) came into effect on 25 May 2018 as a way to modernize personal information protection laws. Even a year later, a recent Thomson Reuters survey found businesses worldwide are struggling to comply with the new legal framework.

Not only are consumers using data subject access requests (DSARs), but employees too are using them to obtain copies of their personal information from their current or previous place of employment. Lexology surveyed 90 UK-based companies and found that 71 of the surveyed companies had experienced an increase in the number of employee DSARs since 2018.

What is a DSAR?

Under the current privacy regulations such as the GDPR and CCPA, individuals can request that an organization disclose whatever information the organization has on them. Such requests are called Data Subject Access Requests (DSARs). Additionally, data subjects can request that their data be deleted and opt-out from future data collection. These requests can be made by or on behalf of an individual. The request does not have to be made in any particular form, and applicants do not necessarily have to include special terminology to get their requests processed. Since the GDPR does not mention anything on how to make a valid request, an individual can simply write an email saying, “I want to see all the data you have on me.”

Handling DSAR emails can be time-consuming, tiring, and expensive, but failure to comply with DSARs can result in serious regulatory, financial, and reputational consequences. Given the quick turnaround time – data access requests must be fulfilled within one month of receipt – it is necessary to have a good process for handling DSARs. Here are tips for you to follow when reviewing DSAR emails, so you get everything done on time without missing deadlines.

Verify the Completeness of the Access Request

The number of fraudulent requests is precisely why you should be extra careful when ensuring the validity of a request. Check whether the applicant has enclosed all the details you need to locate the information requested. They must also supply sufficient data to verify their identity.

Normally, the applicant will fail to provide all the relevant information the first time around. The onus of writing to the individual and requesting further information falls on you. Remember, you have a deadline for providing this information, and you should be proactive if you want to meet that deadline.

Determine the Identity of the Subject

A recent study by an Oxford researcher found that the laws intended to protect people from having strangers retrieve their personal data have actually made it easier to access personal data and commit identity theft.

This is why businesses and companies should verify the identity of the data subject before revealing any private details. However, although you obviously should not provide copies of personal details to people who are not the applicant, you cannot adopt an obstructive stance either.

According to the GDPR, you can take ‘reasonable measures’ to validate the data subject’s identity. Try determining their identity from their circumstances, like their signature or their address. For instance, if the requested data is a reference, use the application form to find out more about their identity – does the address or signature on the application form match what is provided in the access request?

If you need further verification of the identity of the data subject, you can resort to one of two common options:

  • Verification using past activities: Call or email the applicant and ask them two questions based on the data you have about them to confirm their identity, e.g. “When did you create an account?”, “When did you last login?”, personal details such as DOB, etc.
  • Verification using ID proof: Respond to the request email, asking them for a photocopy of their driver’s license or passport. Verifying ID might sound more reliable however, malicious actors can easily create fake IDs digitally, hence verifying the individual using their past activities might be a better approach.

Narrow the Scope of the Data Access Request

If the scope of the DSAR is unclear, request more details from the applicant about what they’re looking for and where it is possibly located. Do this prior to starting the search. If the scope of the request is too extensive – for example, “Give me all my personal details” – it is better to engage with the applicant to narrow the scope of the request and increase the focus of your search. Although a data controller is mandated by the GDPR to locate and retrieve all the requested details, the data subject might only be concerned about some specific area; hence, reducing the scope will help both data subjects and companies to save time and effort. Users need not wait longer and go through a vast set of data to find what they were looking for.

Screen the Data

Not all personal details are up for disclosure. Once you’ve gathered all the necessary information about the applicant, examine the data thoroughly to establish whether it can be disclosed, especially the personal data of some other users. You may have to redact specific portions of a document which are not allowed for disclosure.

Concluding remarks

Dealing with DSAR emails can severely cut into a company’s time and resources. You might have to wade through hundreds of documents and emails to ensure you’re not disclosing details that shouldn’t be shared. However, by using the tips listed here, you can save your company time and money. Using oneDPO would significantly save you time and resources in resolving DSRs. Learn more at

Author: Rahul Sharma


Leave a Reply

Your email address will not be published. Required fields are marked *