A data subject access request (DSAR) is a formal request from an individual to see, obtain a copy of, correct, or learn how an organization is using the personal data it holds about them. Under a growing family of privacy regimes, individuals hold enforceable rights over their own information, and the DSAR is the procedural channel through which those rights are exercised. For a records management program, a DSAR is not merely a legal obligation handed to the privacy office; it is a stress test of whether the organization actually knows what personal data it holds, where that data lives, how long it is retained, and how reliably it can be located and produced on demand.
Responding well requires a repeatable, documented workflow that balances the requester’s rights against competing obligations, such as protecting the privacy of third parties, preserving records under legal hold, and honoring exemptions that lawfully limit disclosure. Mature programs treat DSARs as an operational process with defined intake, verification, search, review, and response stages, supported by retention schedules and an accurate information inventory. This article describes that process in principle-based terms applicable across jurisdictions, while noting where specific legal frameworks shape the details.
What a DSAR Covers and Who Can Make One
The scope of a DSAR is defined by the governing law, but most regimes share a common core. A requester is typically entitled to confirmation of whether their personal data is being processed, access to that data or a copy of it, and supplementary information such as the purposes of processing, categories of data, recipients, and retention periods. Some frameworks add adjacent rights — correction (rectification), deletion, restriction of processing, portability, and objection — that arrive through the same intake channel and benefit from the same workflow.
In the U.S. federal context, the Privacy Act of 1974 gives individuals the right to access and request amendment of records about themselves held in agency systems of records, operating alongside the Freedom of Information Act. State consumer privacy laws and international regimes such as the GDPR create parallel but distinct access rights for private-sector data. Requests may come from the data subject directly or from an authorized agent acting on their behalf, which is precisely why identity verification is the first substantive control in any DSAR process.
Intake and Identity Verification
A defensible DSAR process begins with a single, well-publicized intake mechanism so that requests are logged consistently rather than arriving scattered across inboxes, web forms, and call centers. Each request should be date-stamped on receipt, because most statutes impose a response clock — commonly measured in weeks — that begins when the request (and, where required, verified identity) is received.
Identity verification protects against the worst failure mode in privacy operations: disclosing personal data to an impostor. Verification should be proportionate to the sensitivity of the data requested, using information the organization already holds rather than demanding new, excessive documentation. For requests made through an authorized agent, the organization must confirm both the agent’s authority and the underlying individual’s identity. Verification standards and reasonable security safeguards align with broader privacy risk-management practice, including the principles articulated in the NIST Privacy Framework.
Locating Responsive Records
Search is where records management discipline becomes decisive. The organization must identify all systems, repositories, and formats that may contain the requester’s personal data — structured databases, document stores, email and messaging, backups, and physical files. This is far easier when a data inventory or records map already exists, when systems are classified by the categories of personal data they hold, and when retention schedules have already disposed of data that no longer needs to be kept.
Good search practice includes:
- Defining a reasonable, documented search strategy keyed to the systems most likely to hold responsive data.
- Searching against the identifiers actually used in each system (name, account number, email, device identifiers).
- Recording where searches ran, what terms were used, and what was found, so the response is auditable.
- Recognizing legal holds, which can suspend deletion rights and affect what must be preserved even as access is provided.
International standards such as ISO 15489-1 frame these capabilities as core records management outcomes — records that are findable, authentic, reliable, and usable — rather than as privacy-specific add-ons. Programs that meet those records management requirements respond to DSARs far more efficiently than those that must improvise a search each time.
Review, Redaction, and Exemptions
Locating data is not the same as disclosing all of it. Before release, responsive material must be reviewed to apply exemptions and protect the rights of others. The most common adjustment is redaction of third-party personal data: a document responsive to one person’s request frequently names other individuals whose privacy must be preserved. Other lawful grounds — protecting ongoing investigations, privileged legal material, trade secrets, or information that would compromise security — may justify withholding or limiting disclosure, depending on the governing law.
Redaction must be performed so that hidden content cannot be recovered from the delivered file, a frequent and serious operational error when redactions are merely visual overlays. Each withholding or redaction should be documented with its legal basis so the decision can be explained to the requester or defended on appeal.
Responding Within the Deadline and Maintaining the Record
The response should be delivered within the statutory time limit, in a concise and intelligible form, and through a secure channel appropriate to the data’s sensitivity. Where a request is complex or voluminous, many regimes permit a documented extension with notice to the requester; where a request is refused in whole or part, the requester is generally entitled to the reasons and to information about how to seek review.
Finally, the DSAR process is itself a record. The request, verification, search documentation, review decisions, and final response should be retained according to schedule, both to demonstrate compliance and to handle follow-up or appeals. Treating DSAR handling as a governed records process — measured, audited, and continuously improved — turns a recurring legal burden into evidence of a well-run information program. Organizations modernizing these capabilities should note that NARA revoked its endorsement of the DoD 5015.2 standard in 2022 in favor of the Universal Electronic Records Management Requirements developed through the Federal Electronic Records Modernization Initiative (FERMI), reflecting a broader shift toward functional, outcome-based records requirements that directly support obligations like timely, reliable access. For related guidance, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- Privacy Act of 1974 — U.S. Department of Justice
- NIST Privacy Framework — NIST
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial Team. (2026). Responding to Data Subject Access Requests (DSARs). Records Management University. https://www.recordsmgmt.org/articles/responding-to-data-subject-access-requests-dsars/
MLA
RM University Editorial Team. "Responding to Data Subject Access Requests (DSARs)." Records Management University, 16 June 2026, www.recordsmgmt.org/articles/responding-to-data-subject-access-requests-dsars/.