DSAR Helper - How to Handle a DSAR Request: A 5-Step, 30-Day Compliance Checklist

📘 How to Handle a DSAR Request: A 5-Step, 30-Day Compliance Checklist

This article provides a simple, compliant process for managing a Data Subject Access Request (DSAR) under GDPR/DPA 2018, ensuring you meet the 30-day deadline without panic.

Introduction: Don't Panic. You Have 30 Days.

Receiving a DSAR can feel like a major administrative burden, especially for small businesses without a dedicated compliance team. The law requires you to respond "without undue delay" and, in most cases, within one calendar month (30 days).

The key is to follow a defined, repeatable process. This guide breaks down the complex legal requirement into five clear, actionable steps.

Step 1: 🧐 Acknowledge, Record, and Verify Identity (Day 1-3)

The first step is establishing a paper trail and ensuring the request is legitimate.

1. Acknowledge and Log the Request

Action: Immediately record the date the request was received and the 30-day clock officially started.
Key Tip: Send a brief acknowledgement email to the requester confirming receipt and stating the expected deadline.

2. Verify the Requester's Identity

Crucial Compliance Point: You must take "reasonable measures" to verify the identity of the person making the request to prevent unauthorized disclosure of personal data (a security breach).
What to ask for: You may ask for documentation (e.g., utility bill, copy of ID) only if you have a genuine, reasonable doubt about their identity.
The DSAR Helper Difference: DSAR Helper tracks identity verification status throughout your process, reminding you to complete this critical compliance step before finalizing categories. This ensures you never accidentally skip this vital safeguard.

Step 2: ⚖️ Assess Scope and Determine Exemptions (Day 3-7)

Not every piece of data is eligible, and you may be able to extend the deadline.

Determine the Scope: Is the request vague? You can ask the requester to clarify or narrow the scope (e.g., "I only want emails from the last 6 months"). Note: Asking for clarification does not pause the 30-day clock.
Check for Exemptions: Are you legally permitted to refuse the request or withhold certain data? Common exemptions include:
- Requests that are manifestly unfounded or excessive (e.g., repetitive, malicious, or harassing requests).
- Data that reveals information about another person (Third-Party Data).
- Data subject to legal privilege or confidentiality.
Deadline Extension: If the request is complex or numerous, you can extend the deadline by up to two months, but you must notify the data subject within the initial 30 days, explaining why the extension is needed.

Step 3: 🔎 Locate and Gather All Personal Data (Day 7-20)

This is typically the most labor-intensive part of the process. You must search every system you use.

Key Data Sources to Check:
- Email inboxes and shared drives
- CRM systems (Salesforce, HubSpot, etc.)
- Accounting/Billing software
- HR files and databases
- Website contact forms and databases
Consolidation: Gather all the data found into a single, secure digital workspace.
The DSAR Helper Difference: DSAR Helper provides predefined data categories (Contact Details, Purchase History, Communication Records, etc.) that guide you through systematically collecting data from all your sources, reducing the risk of overlooking important systems.

Step 4: 📝 Review, Redact, and Prepare the Response (Day 20-27)

Accuracy and privacy are paramount in this stage.

Review: Examine the gathered data to ensure it is all personal data relating to the data subject.
Redaction (Critical Step): You must redact (black out) any personal data relating to other individuals (third parties) unless they have consented or it is reasonable to disclose it without their consent. Use professional PDF redaction tools that permanently remove the underlying text, not just visual highlighters.
Format: Prepare the data in a commonly used, machine-readable format (e.g., PDF or CSV).
The DSAR Helper Difference: DSAR Helper structures your collected data into clear categories with completion tracking, helping you systematically review each section and ensure nothing is missed before generating the final response document.

Step 5: ✉️ Deliver the Response and Conclude (Day 28-30)

Deliver the data and the necessary accompanying information.

The Final Package: The response must include:
- All the relevant personal data you found.
- A confirmation that you have processed their request.
- The purpose of the processing.
- The categories of personal data concerned.
- The recipients to whom the data has been or will be disclosed.
- Their right to complain to the relevant supervisory authority (the ICO in the UK).
Secure Delivery: Ensure you use a secure method of delivery (e.g., an encrypted portal or password-protected file) to protect the data.
The DSAR Helper Difference: DSAR Helper automatically generates a professional, legally compliant PDF response that includes all required elements: a formal cover letter, categorized personal data with source/purpose/retention information, full UK GDPR rights explanation, and ICO contact details. This ensures your response meets all legal requirements without manual formatting.

Return to Compliance Articles

Return to Homepage