Data Subject Access Requests: How to Respond Without Getting Burned

Under Article 15 of the GDPR, anyone can ask whether you hold their personal data and, if so, receive a copy along with information about how and why you process it. A Data Subject Access Request (DSAR) does not need to mention the GDPR, use any special form, or even go to the right inbox — which is exactly why so many organisations are caught off guard.

The clock starts immediately

You generally have one month from receipt to respond. That can be extended by up to two further months for complex or numerous requests, but only if you tell the requester within the first month and explain why.

What you must provide

• Confirmation of whether you process their data.
• A copy of the personal data itself.
• The purposes, categories of data, recipients, retention periods and the source of the data.
• A reminder of their other rights, including rectification, erasure and the right to complain.

Common traps

The biggest mistakes are missing the deadline because the request landed in the wrong inbox, over-disclosing third-party data, and charging a fee when none is due — access is free unless a request is manifestly unfounded or excessive. Redact other people's personal data carefully, and never use a DSAR as leverage in an unrelated dispute.

Can you ever say no?

Rarely, and cautiously. You may refuse or charge for requests that are manifestly unfounded or excessive, and certain exemptions apply (for example, legal privilege). But the burden is on you to justify it, so document your reasoning.

Treat every DSAR as a test of your record-keeping. If you cannot find the data quickly, that is the real problem the request has revealed.

We help organisations build a DSAR-handling process — templates, search workflows and redaction standards — so requests become routine rather than alarming.