Cookie consent

This site uses cookies that need consent. Learn more

Skip to content
Facit Data Systems
Insights

How to fulfil a Data Subject Access Request (DSAR)

Woman holding a phone with a locked icon entering an unlock code.
The vast majority of organisations hold information about people, which can be requested, by law. Here’s a 10-point fulfilment checklist to help you fulfil a data subject access request.

What is a data subject access request (DSAR)?

A Data Subject Access Request (DSAR) is a request made by an individual (the "data subject") to an organisation to access the personal data that the organisation holds about them. This access right is granted under data protection laws such as the General Data Protection Regulation (GDPR) in the EU and UK, and the California Consumer Privacy Act (CCPA) in the U.S.

What is the Right of Access Under GDPR

Under Article 15 of GDPR, individuals have the right to know whether an organisation (the data controller) is processing their personal information.

If personal data is being processed, the controller is required to provide the individual with a copy of their data, as long as doing so does not infringe on the rights or freedoms of others. Along with the data itself, the organisation must also share relevant details about the processing activities.

Generally, this information must be provided at no cost. However, a reasonable administrative fee may be applied if the individual requests multiple copies or if the request is deemed excessive or unfounded.

Additionally, if personal data is transferred outside the European Economic Area (EEA) to another country or an international organisation, the individual has the right to be informed about the safeguards in place to protect their data.

What information are you obligated to provide in a DSAR response?

The organisation is obligated to provide confirmation that they are processing personal data, a copy of personal data and other information, including: When making a DSAR, an individual can ask for:

  • Confirmation of whether their personal data is being processed.

  • A copy of the personal data held by the organisation.

  • The purpose of data processing.

  • Details on how long the data will be stored.

  • Information on third parties with whom the data is shared.

  • The source of the data (if it wasn’t provided by the individual).

  • The right to request correction, deletion or restriction of data processing. 

Can information be redacted?

While the GDPR emphasises transparency, organisations are permitted - and in some cases required - to redact information that falls outside the scope of a DSAR.

For instance, if a document contains both the requester's personal data and details about other individuals, any third-party personal information must be redacted to prevent a data breach. Similarly, if the requested records include confidential business information alongside the individual's data, the organisation has the right to redact sensitive company details before providing access.

The same redaction requirements apply to video, images and any other format in which personal data is held.

Can an organisation refuse a DSAR?

In certain cases, an organisation may lawfully refuse to fulfil a DSAR if an exemption applies or if the request meets specific criteria, such as:

Manifestly Unfounded Requests
This applies when the individual has no genuine intention of exercising their right or submits the request with malicious intent, solely to cause disruption.

Manifestly Excessive Requests
A DSAR may be refused if it is unreasonable in scope or places a disproportionate burden on the organisation in terms of cost or effort.

If a request is denied, the organisation must be able to justify its decision to the supervisory authority. Additionally, the individual must be informed of the refusal, the reason behind it, their right to file a complaint with the supervisory authority and their option to seek enforcement through legal action.

How to fulfil a data subject access request

By law, people can ask you for a copy of any information that relates to them, as it is deemed to be their personal data, and they have a legal right to see it. If someone asks you for a copy of their personal data, by phone, in person, or in writing, they have made a ‘data subject access request’ (DSAR), and you need to respond. Here’s a 10-point DSAR fulfilment checklist to help you complete a data subject access request.

1: Assign a data protection lead

Large businesses generally have Compliance teams, while small businesses are expected to nominate a member of staff member to take the lead on data protection.

2: Check on the identity of the requestor

If you’re not certain about the identity of the requester – i.e., that they are who they say they are – you should verify the requester’s identity before responding to the DSAR. Verification can take the form of requesting ID, asking questions to which only the authentic requester would know the answers, or asking for reference numbers, dates and locations.

3: Check that the requester is authorised

If the DSAR is made by someone other than the person the data is about (such as a relative or solicitor), check that the requester has been authorised. You should ask for written authority to act on behalf of the person concerned, or a document showing power of attorney. Children older than 12 can make their own DSARs, so if a parent or carer makes a request, you should usually get permission from the child first.

4: Create a DSAR fulfilment calendar

Data holders have thirty days to gather requested data and provide it to the requester in the format of their choice. The thirty days starts from the time the requester’s identity and authority have been verified. If the DSAR is complex, or the requester has made a lot of requests, you can take an extra two months to respond. You must, however, let the requester know there will be a delay before the end of the initial fulfilment period.

5: Double check what is being requested

Requesters may ask for all the data you hold on them or they may ask for something

6: Search for the relevant information

Use search functions on all devices to locate all incidents of the data being requested. Devices can include smartphones, computers, archived files, emails, external hard-drives, tablets, memory sticks, voice recordings, social media posts and CCTV records.

7: Check what you need to redact

Before providing the requester with their information, check it carefully to ensure it only contains their information. If you discover a document or email that mentions people other than the person in question, you should redact (hide, black out or remove) any information that does not relate to the person making the DSAR. Disclosing information about other people is likely to result in a breach of their personal privacy.

We covered the challenges of document data privacy in a previous article. If you are new to document data privacy, check out how to avoid the hidden pitfalls associated with data redaction.

Person at their laptop talking into their mobile phone.

8: Think carefully about releasing data about other people

You should avoid disclosing information about other people in a DSAR. When the personal data you gather includes information that is linked to someone else, consider the impact that disclosure could have. For example, if all the details about the other person are already in the public domain there may not be a need for redaction; if the requester does not know particular information, there is a strong case for redacting other names and identifying information; and if the requester is likely to guess at the identity of others, you may need to consider whether it’s necessary to get the other people’s consent prior to release.

9: Choose a response format

If you received a DSAR by email or post, you should reply by email or post, unless the requester specified a preferred response format.

10: Keep a record of your reply

When you send the requester their personal data, include a copy of your privacy policy. The privacy policy should explain why you hold data, how you acquired it, how long you’re planning to keep it, who you share it with, and how people can request changes or data deletion. Keep dated records of the information you send as you may need to refer to it again, for example if the requester is not satisfied with your response or if they make another request. The ICO provides a downloadable privacy notice template on its website.

File search and data removal for assured in-house data privacy compliance

In the past two years, there has been a steep increase in DSARs, and fulfilment can be overwhelming, costly and potentially risky. Facit helps organisations worldwide to automate complex document data redaction in all document formats, including complex spreadsheets. Uniquely, Facit Data Redaction goes far beyond masking sensitive data with a black box: Facit completely removes problematic data in seconds so that there is 0% risk of a privacy breach.

Contact Facit to learn more about document and video redaction tools to ensure compliance when responding to DSARs