How do I respond to a data subject access request (DSAR)?
A data subject access request (DSAR) is a request from an individual to see, correct, or sometimes delete the personal information an organization holds about them. Many privacy frameworks and laws grant this right, and most set a deadline for your response. While the specifics vary by jurisdiction, the underlying process is consistent and can be handled with a repeatable, well-documented workflow.
Start the clock and log the request
Treat every request as time-sensitive. Record the date received, the requester’s identity, and exactly what they are asking for. Confirm the request actually triggers your obligations, then note any applicable response deadline so you can plan the work backward from it. A simple intake log creates the audit trail you may need to demonstrate compliance later.
Verify identity
Before disclosing any personal data, confirm you are dealing with the actual data subject (or their authorized agent). Use proportionate verification — enough to be confident, but not so burdensome that you obstruct a legitimate right. Releasing personal information to the wrong party is itself a privacy breach.
Find the records
Search across all systems and repositories where the individual’s data may live: structured databases, email, shared drives, backups, and paper files. This is where strong records management and accurate information mapping pay off. Knowing your data inventory and retention schedules makes a complete, defensible search far easier.
Review, redact, and respond
Examine what you found before releasing it. Common adjustments include:
- Redacting third parties’ personal information that appears in the same records.
- Withholding material covered by a recognized exemption (for example, legal privilege or ongoing investigations), and documenting why.
- Honoring related rights the requester raised, such as correction of inaccurate data.
Deliver the response in a clear, accessible format within the required timeframe, and keep a copy of what you disclosed.
Build the process in advance
DSARs are predictable enough to plan for. Designate a responsible owner, document a standard procedure, train staff to recognize and route requests, and align retention practices so you are not storing personal data longer than needed. For more on handling personal information responsibly, see the privacy and PII topic hub.
A well-run DSAR process protects individuals’ rights, reduces legal risk, and reflects the disciplined recordkeeping that sound information governance is built on.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- Privacy Act of 1974 — U.S. Department of Justice
How to cite this page
APA
RM University Editorial. (2026). How do I respond to a data subject access request (DSAR)?. Records Management University. https://www.recordsmgmt.org/questions/how-to-respond-to-a-data-subject-access-request/
MLA
RM University Editorial. "How do I respond to a data subject access request (DSAR)?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-to-respond-to-a-data-subject-access-request/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?