DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

How to Respond to a GDPR Subject Access Request (Step-by-Step)

#gdpr #dsar #privacy #compliance

How to Respond to a GDPR Subject Access Request (Step-by-Step)

A subject access request just landed in your inbox. Your first instinct might be to panic — or to ignore it and hope it goes away. Neither is a good strategy. Under GDPR, a subject access request (SAR) carries a hard 30-day deadline, and ignoring one can result in a regulatory complaint, an investigation, and potentially significant fines.

The good news: responding to a GDPR subject access request response isn't as complicated as it sounds when you follow a clear process. This guide walks you through every step — from the moment the request arrives to the moment you deliver the response — including the nuances that trip most teams up.

What Is a DSAR and Who Can Submit One?

A Data Subject Access Request (DSAR) — also called a Subject Access Request (SAR) — is a formal request by an individual to receive a copy of all personal data an organisation holds about them, along with supplementary information about how that data is used.

Under Article 15 of GDPR, any EU or UK resident can submit a DSAR to any organisation that processes their personal data. This includes:

  • Current and former customers
  • Website visitors (even if they didn't buy anything)
  • Current and former employees
  • Job applicants
  • Newsletter subscribers
  • Anyone whose email address, phone number, IP address, or other identifying information you hold

There is no special format required. A DSAR can arrive by email, letter, social media DM, phone call, or even verbally. If someone asks "what data do you have about me?", that is a DSAR — even if they don't use that terminology.

Step 1: Log the Request and Start the Clock

The 30-day clock starts from the moment of receipt — not from when you read the email, not from when you decide it counts as a DSAR, and not from your next business day.

As soon as you receive what may be a subject access request:

  1. Record the date and time of receipt in your DSAR log
  2. Record the requester's identity (name, email, any identifying details provided)
  3. Record the channel through which the request arrived
  4. Calculate your deadline — 30 calendar days from receipt
  5. Assign ownership — who on your team is responsible for handling this?

The 30-day deadline is firm for most requests. Extensions are available (more on that below), but they require proactive action. Starting the clock accurately is non-negotiable.

Common mistake: Treating the DSAR log as optional. Every supervisory authority, in every enforcement action involving DSARs, asks to see the log. If you don't have one, it signals systemic non-compliance.

Step 2: Verify Identity — When You Can Ask and What's Proportionate

Before responding, you need to be reasonably confident the person submitting the request is who they say they are. You don't want to send a data bundle to the wrong person.

However, GDPR places a proportionality requirement on identity verification. The ICO's guidance is clear: you should not ask for more information than necessary to verify identity, and you should not use verification as a way to delay or obstruct the request.

When verification is appropriate:

  • You have reasonable doubt about the requester's identity
  • The request is made via a channel where identity can't be established (e.g., anonymous email address)
  • The data you hold is sensitive and the risk of disclosure to the wrong person is high

What's proportionate:

  • Asking them to confirm their email address if they emailed from an address you don't recognise
  • Asking for the last four digits of a reference number or account ID
  • For in-person requests, asking to see a form of ID

What's not proportionate:

  • Asking for a passport copy when the person emailed from their account email
  • Requiring a notarised signature for a routine request
  • Demanding multiple forms of ID for low-risk data

The clock keeps running during the identity verification period only if you had genuine reasonable doubt and requested verification promptly. Don't use verification as a stalling tactic — regulators see through it.

Step 3: Clarify Scope If Needed

If the request is genuinely unclear or covers an enormous volume of data, you may ask for clarification — but only if it's genuinely needed and only if you do it promptly.

When you can ask for clarification:

  • The request is vague ("all the data you have") and your systems hold very large volumes of information about this person
  • You genuinely cannot locate the data without knowing more about what they're referring to

When you cannot use clarification as a delay:

  • To narrow a legitimately broad request
  • To make the response easier for you at the expense of the requester
  • To restart the clock (it doesn't restart)

The clock continues running while you wait for clarification. If the requester doesn't respond, you should respond with whatever data you can reasonably identify.

Step 4: Search All Your Systems

This is the most time-consuming part of the GDPR subject access request response process, and the one most teams underestimate. You need to conduct a comprehensive search across every system that might hold personal data about the requester.

The complete search list:

  • CRM (HubSpot, Salesforce, Pipedrive, etc.) — contact records, notes, interaction history, deal history
  • Email — sent emails, received emails, email threads mentioning the person
  • Marketing platforms (Mailchimp, ActiveCampaign, etc.) — subscriber records, campaign history, tags, segments
  • Customer support (Zendesk, Intercom, Freshdesk) — tickets, chat transcripts, internal notes
  • Product database — account data, usage logs, billing records
  • Analytics platforms — if you can identify an individual in your analytics data
  • Payment processors (Stripe, PayPal) — transaction records, invoices
  • HR systems — if the requester is or was an employee
  • Backups — yes, backups count; you need to search them or explicitly document why it's disproportionate to do so
  • Paper records — physical files, printed emails, handwritten notes
  • Third-party systems — any processor you've shared the data with

Practical approach: Create a data map in advance (or use a tool like Custodia to do this automatically). If you know where your data lives before a DSAR arrives, the search takes hours rather than days.

Step 5: Apply Exemptions — What You Can Withhold

Not everything you find needs to be included in your GDPR subject access request response. Several exemptions allow you to withhold or redact certain information.

Third-party data: If a document contains personal data about another individual — for example, an email thread involving a colleague — you may redact the third party's data unless that person has consented to disclosure or it's reasonable to disclose it without consent. This is one of the most common practical challenges (see the dedicated section below).

Legal privilege: Documents covered by legal professional privilege — advice from your lawyer, for example — are exempt.

Manifestly unfounded or excessive requests: If a request is genuinely made in bad faith or is repetitive and designed to burden the organisation, you may refuse it. However, the bar is high and you must be able to demonstrate this. Charging a fee (see below) is often a better approach than outright refusal.

Prevention, detection, or prosecution of crime: If disclosure would prejudice an active investigation.

Confidential references: References given in confidence (e.g., employment references) are typically exempt.

Document every exemption you apply. For each piece of information you withhold, record what it is, what exemption you're relying on, and why. This documentation is essential if the requester complains to a supervisory authority.

Step 6: Compile the Response

A GDPR subject access request response is more than just a data dump. Article 15 specifies exactly what must be included:

  1. Confirmation that you do (or do not) process personal data about them
  2. A copy of the personal data — all of it, subject to any exemptions
  3. The purposes of the processing
  4. The categories of personal data involved
  5. Recipients or categories of recipients to whom the data has been or will be disclosed (including third-country recipients)
  6. Retention periods or the criteria used to determine them
  7. Information about rights — the right to rectification, erasure, restriction of processing, and to object
  8. The right to lodge a complaint with a supervisory authority
  9. Information about the source of the data, if it wasn't collected directly from the requester
  10. Information about automated decision-making, including profiling, if applicable

If any of this information is already in your privacy policy and the requester has access to it, you can reference it rather than restating it in full.

Step 7: Deliver It Securely

Format: GDPR requires you to provide the information in a "commonly used electronic format" if the request was made electronically — typically a PDF, a CSV, or a structured email. Don't make someone install proprietary software to access their data.

Security of transmission: You're about to send a potentially sensitive data package. Use secure methods:

  • Password-protected ZIP or PDF with the password sent via a separate channel
  • A secure file transfer link (rather than an email attachment for large bundles)
  • Encrypted email if both parties support it

Do not charge a fee for a first, reasonable request. The response must be provided free of charge. (The exception: manifestly excessive or repetitive requests — more on that below.)

Confirm delivery. Send a brief covering message explaining what's included, what exemptions were applied and why, and reminding the person of their other rights and their right to complain to a supervisory authority.

Step 8: Document Everything

Your audit record for each DSAR should include:

  • Date and time of receipt
  • Identity of the requester
  • Channel through which it was received
  • Any identity verification steps taken and outcome
  • Any clarification requested and outcome
  • The systems searched and what was found
  • Any exemptions applied and the reasoning
  • The response sent (including a copy of what was provided)
  • Date of delivery
  • Any extension notices issued

This documentation serves two purposes: it demonstrates compliance if you're ever investigated, and it makes future requests faster because you know where your data lives.

Extensions: When You Can Add 2 More Months

If a request is complex or you've received multiple requests from the same person, you can extend the response period by up to two additional months — giving you three months total.

To use the extension:

  1. Notify the requester within the initial 30-day period (before the original deadline)
  2. Explain the reasons for the extension
  3. Remind them of their right to complain to a supervisory authority

You cannot grant yourself an extension after the deadline has passed. If you miss the 30-day window without notifying the requester, you're in breach.

"Complex" requests are those that genuinely involve large volumes of data, require significant effort to compile, or raise difficult questions about exemptions. "I forgot" or "we're understaffed" are not valid reasons for an extension.

Charging Fees: When You Can

Your initial response must be free. However, if requests are manifestly unfounded or excessive — particularly if they're repetitive — you can either:

  • Charge a reasonable fee reflecting the administrative cost, or
  • Refuse to act on the request entirely

If you charge a fee, you must notify the requester, explain the basis for the fee, and give them the option to withdraw or narrow the request before you proceed.

In practice: Charging is rarely worth the friction. Most requests are legitimate, even if inconvenient. Reserve this option for genuinely abusive patterns.

Refusing a DSAR: When You Can and How

Outright refusal is a high-risk option. You can refuse if:

  • The request is manifestly unfounded (made in bad faith, not genuinely seeking data)
  • The request is manifestly excessive (identical or very similar to recent requests with no new justification)
  • A specific legal exemption applies

If you refuse, you must:

  1. Inform the requester within one month
  2. Explain why you are refusing
  3. Tell them about their right to complain to a supervisory authority
  4. Tell them about their right to seek a judicial remedy

Never simply ignore a DSAR. Even a refusal must be documented and communicated.

The Third-Party Data Problem: Redacting Other People's Info

One of the most practically challenging parts of the GDPR subject access request response process is dealing with data about other people embedded in the requester's data.

Example: A customer asks for their data. Your CRM includes a note from a sales rep: "Spoke to Sarah — referred by David Jenkins at Acme Corp who has had similar issues." David Jenkins hasn't consented to disclosure.

The approach:

  • Redact information that identifies third parties where disclosure would be unfair to those individuals
  • Consider whether the third party would reasonably expect their information to be shared
  • Document the redaction and the reason in your audit record
  • If a large proportion of the data involves third parties, note this in your covering response

There's no bright-line rule — you need to use judgment. But default to redacting when in doubt. The ICO's guidance is that you should consider whether it's possible to comply with the request without disclosing the third party's data.

Practical Checklist: The 8-Step DSAR Response Workflow

Use this checklist for every GDPR subject access request response:

  • [ ] Log the request — date, time, requester identity, channel
  • [ ] Calculate the deadline — 30 days from receipt (calendar days)
  • [ ] Verify identity if genuinely needed and proportionate
  • [ ] Clarify scope only if genuinely necessary
  • [ ] Search all systems — CRM, email, marketing, support, product DB, HR, paper records, backups
  • [ ] Apply exemptions — document each one
  • [ ] Compile the full Article 15 response — data plus supplementary information
  • [ ] Deliver securely — electronic format, secure transmission, covering letter

Optional actions:

  • [ ] Issue extension notice within 30 days if needed
  • [ ] Notify requester of fee if request is manifestly excessive

How Custodia Automates DSAR Handling

Managing a GDPR subject access request response manually is time-consuming, error-prone, and doesn't scale. Custodia's DSAR tool handles the entire workflow:

  • Automated intake — a branded DSAR portal captures requests and logs them automatically
  • Deadline tracking — the 30-day clock starts automatically; extension deadlines are tracked too
  • System search guidance — Custodia's data map tells you exactly where to search based on your configured integrations
  • Response compilation — structured templates ensure you include every Article 15 element
  • Audit trail — every action is logged automatically, giving you a complete record if you're ever investigated
  • Extension and fee notices — generated automatically when needed

Whether you receive one DSAR a year or dozens a month, a consistent, documented process protects you. Try Custodia free and handle your next subject access request with confidence.

This guide provides general information about GDPR subject access request response requirements. It does not constitute legal advice. Requirements may vary based on your jurisdiction and the nature of your processing activities. For advice specific to your situation, consult a qualified privacy professional.

Top comments (0)