Data & Privacy

Data Subject Access Request

Definition

A data subject access request (DSAR) is an individual's right, under laws such as the GDPR, to ask an organisation what personal data it holds about them and to receive a copy.

What is a data subject access request?

A data subject access request, almost always shortened to DSAR, is a request from an individual, the "data subject", asking an organisation to tell them what personal data it holds about them and to hand over a copy. It is one of the core rights granted by modern data-protection laws, most prominently the EU's GDPR and its UK counterpart.

The idea behind it is transparency. If an organisation is going to collect and use information about people, those people have a right to see what is held, understand why, and check it is accurate. A DSAR is the mechanism that turns that principle into something an individual can actually exercise.

What happens in a DSAR

When a request comes in, a fairly consistent set of steps follows, whatever the size of the organisation.

  • Verify identity. The organisation must be sure the requester is who they say they are, so personal data isn't handed to the wrong person.
  • Locate the data. Every system that might hold the person's data is searched, from the helpdesk and CRM to billing tools, email, and marketing platforms.
  • Review and redact. Data about other people, caught up in the same records, is removed before anything is shared, which is where careful PII redaction matters.
  • Respond in time. Under the GDPR, the organisation generally has one month to respond, and in most cases must do so free of charge.

There are limits. Certain information can be withheld, for example where disclosing it would reveal personal data about a third party, and the deadline can be extended for particularly complex requests. But the default is to respond fully and promptly.

How to prepare for DSARs

A DSAR is far easier to handle when the groundwork is already in place.

Know where your data lives. The single biggest factor is a clear data map. If you already know every system that holds personal data, responding is a matter of running a defined process rather than a frantic search. This overlaps directly with maintaining a data retention policy.

Hold less in the first place. The less personal data you keep, and the sooner you delete what you no longer need, the smaller and simpler each response becomes. Minimisation and a clear basis for processing, through consent management, both reduce the surface area a DSAR has to cover.

Give the process an owner. A named person or team, a documented workflow, and a template response turn DSARs from an anxious one-off into a routine task. Handled this way, a request stops being a fire drill and becomes a straightforward demonstration that you respect the people whose data you hold.

Why it matters

It is a legal right. Under the GDPR and similar laws, people can request their data and organisations must respond, usually within one month.
It tests your data map. Answering a DSAR means knowing every place personal data lives, which many organisations discover only when asked.
It builds transparency. Handling requests well shows customers you take their data, and their rights, seriously.
Ignoring it carries risk. Missed or mishandled requests can lead to complaints and regulatory penalties.

Example

A customer emails asking for all the personal data a company holds on them. The support team verifies the person's identity, searches its helpdesk, billing system, and marketing tools, redacts information about other people, and returns a copy within the one-month deadline the GDPR sets.

How Resolve247 helps

Keep support answers grounded, not data-hungry

Resolve247's AIChatbot answers from the knowledge base you provide, your published help content, rather than collecting extra personal details to do its job. When a request turns on someone's own account data, it hands over to a human with full context.

Answers only from your knowledge base
Anti-hallucination guarantee
Hands sensitive cases to a human
You control its source content
Start Your Free Trial

30 day free trial, no cc required!

Related terms

Frequently asked questions

What is a data subject access request?

A data subject access request, or DSAR, is a request from an individual asking an organisation to confirm what personal data it holds about them and to provide a copy. It is a right granted under data-protection laws such as the GDPR and the UK's equivalent, and it applies to any organisation processing that person's data.

How do organisations handle a DSAR?

They usually verify the requester's identity, locate all the personal data they hold about that person across their systems, redact any information that relates to other people, and provide a copy in a clear format. Under the GDPR this must generally be done within one month and, in most cases, free of charge.

What information can someone request in a DSAR?

An individual can ask for a copy of the personal data an organisation holds about them, along with details such as why it is being processed, who it is shared with, and how long it will be kept. Some data can be withheld, for example where releasing it would reveal personal data about someone else.

How can a business prepare for data subject access requests?

The most effective preparation is knowing where personal data lives. A clear data map, a defined process with an owner, and disciplined data minimisation all make responding faster and less error-prone, so a DSAR becomes a routine task rather than a scramble.

Answer more questions from your own content

Start Your Free Trial

30 day free trial, no cc required!

Money back guarantee
No manual setup required