Data & Privacy
Data Subject Access Request
Definition
A data subject access request (DSAR) is an individual's right, under laws such as the GDPR, to ask an organisation what personal data it holds about them and to receive a copy.
What is a data subject access request?
A data subject access request, almost always shortened to DSAR, is a request from an individual, the "data subject", asking an organisation to tell them what personal data it holds about them and to hand over a copy. It is one of the core rights granted by modern data-protection laws, most prominently the EU's GDPR and its UK counterpart.
The idea behind it is transparency. If an organisation is going to collect and use information about people, those people have a right to see what is held, understand why, and check it is accurate. A DSAR is the mechanism that turns that principle into something an individual can actually exercise.
What happens in a DSAR
When a request comes in, a fairly consistent set of steps follows, whatever the size of the organisation.
- Verify identity. The organisation must be sure the requester is who they say they are, so personal data isn't handed to the wrong person.
- Locate the data. Every system that might hold the person's data is searched, from the helpdesk and CRM to billing tools, email, and marketing platforms.
- Review and redact. Data about other people, caught up in the same records, is removed before anything is shared, which is where careful PII redaction matters.
- Respond in time. Under the GDPR, the organisation generally has one month to respond, and in most cases must do so free of charge.
There are limits. Certain information can be withheld, for example where disclosing it would reveal personal data about a third party, and the deadline can be extended for particularly complex requests. But the default is to respond fully and promptly.
How to prepare for DSARs
A DSAR is far easier to handle when the groundwork is already in place.
Know where your data lives. The single biggest factor is a clear data map. If you already know every system that holds personal data, responding is a matter of running a defined process rather than a frantic search. This overlaps directly with maintaining a data retention policy.
Hold less in the first place. The less personal data you keep, and the sooner you delete what you no longer need, the smaller and simpler each response becomes. Minimisation and a clear basis for processing, through consent management, both reduce the surface area a DSAR has to cover.
Give the process an owner. A named person or team, a documented workflow, and a template response turn DSARs from an anxious one-off into a routine task. Handled this way, a request stops being a fire drill and becomes a straightforward demonstration that you respect the people whose data you hold.
Why it matters
Example
A customer emails asking for all the personal data a company holds on them. The support team verifies the person's identity, searches its helpdesk, billing system, and marketing tools, redacts information about other people, and returns a copy within the one-month deadline the GDPR sets.
How Resolve247 helps
Keep support answers grounded, not data-hungry
Resolve247's AIChatbot answers from the knowledge base you provide, your published help content, rather than collecting extra personal details to do its job. When a request turns on someone's own account data, it hands over to a human with full context.
30 day free trial, no cc required!
Related terms
Frequently asked questions
What is a data subject access request?
A data subject access request, or DSAR, is a request from an individual asking an organisation to confirm what personal data it holds about them and to provide a copy. It is a right granted under data-protection laws such as the GDPR and the UK's equivalent, and it applies to any organisation processing that person's data.
How do organisations handle a DSAR?
They usually verify the requester's identity, locate all the personal data they hold about that person across their systems, redact any information that relates to other people, and provide a copy in a clear format. Under the GDPR this must generally be done within one month and, in most cases, free of charge.
What information can someone request in a DSAR?
An individual can ask for a copy of the personal data an organisation holds about them, along with details such as why it is being processed, who it is shared with, and how long it will be kept. Some data can be withheld, for example where releasing it would reveal personal data about someone else.
How can a business prepare for data subject access requests?
The most effective preparation is knowing where personal data lives. A clear data map, a defined process with an owner, and disciplined data minimisation all make responding faster and less error-prone, so a DSAR becomes a routine task rather than a scramble.