News & Blog

How to Respond to the Increase in DSAR’s

Be confident you know how to respond to a data subject access request (DSAR) by following these steps.

data subject access request (DSAR) involves a written request by any individual where a company/organization is processing, storing, or utilizing data that identifies them and can arise at any time; so it is essential that you have a procedure in place to respond promptly.

According to the latest UK Data Protection Index results, there has been a 66% increase in the average of DSARs received since July 2020. So with the number of DSARs requested on the rise it is vital that companies are prepared and are complying with data obligations as it is inevitable that companies will face a rise in individuals inlcuding employees and customers wanting to know how their data is being used in 2021.

1. Be confident you know how to respond to a DSAR request  
Completing a DSAR is time-sensitive. In line with the GDPR rules, organizations must respond to valid requisitions without undue delay and at the latest within one month of receiving the request. Although extensions are available, it has to be justified and it is wise to inform the requester as soon as possible and to give regular updates. Once the DSAR has been acknowledged it needs to be assigned to the right person to handle and research it. So being prepared and having a compliance officer who has an organized approach to completing data subject access requests enables you to respond efficiently with the right information.

2. Make sure you know who deals with your compliance requests
To begin with, you must request identification to confirm the identity of the person who has filed a request in order to verify that you do possess data regarding the individual. Every member of staff should be aware of both their rights and who to contact within the organization if they have a query. It should also be clearly stated on your Privacy Policy who is responsible and how to contact them.

3. Have a solution in place so you can respond efficiently to a DSAR
When it comes to completing a DSAR you will need to document a justification for every redaction you are making. That is why it is important to reduce the amount of data you hold as it can lead to unorganized unstructured data which will make the process of DSAR request more complicated.

Having a solution in place allows you to have a policy for both your structured and unstructured data (approx. 70% of all data) repositories, so you can qualify, search, review, redact and export the information accurately to the individual. Management solutions such as ComplyKEY that include email and file management, enable you to see your email and file data and rapidly respond to such requests.

4. Make sure to review, redact and remove information that is not relevant to the search or individual.
It is key to ensure that upon the request no other information from a third party is within the same file/page or email. Also, you should remove any information that is not relevant or confidential personal data. If this does occur it is potentially a breach of information and all individual affected will need to be contacted to clearly explain the information that has been shared, it will also require a notification to the relevant DPA in your country with 72 hours.’ Just consider the number of individuals that are cc’d or bcc’d in every email coming into and leaving your organisation, these individuals should be removed from any export.

5. Know how to formally respond to a DSAR
GDPR suggests that you should respond to a request in the same way a request is made unless specified. You should keep an audit trail of the request, which would include the sources of information that was gathered, the review undertaken, decisions made concerning whether information amounted to personal data, and whether exemptions or delays were applied. The process can be simplified by ensuring your process and procedures for responding to a DSAR are up to date and maintained, that they adhere to your policies and privacy statement, and you have the relevant training and solutions in place to respond accurately and quickly.

Watch a demo on how to respond to a DSAR request using the MailMeter Investigate module.


Responding to a DSAR doesn’t have to take up a lot of time and resources. Being request-ready can be resolved with a simple management suite. ComplyKEY is designed to address DSAR requests at the Unstructured Data level as it gives you full visibility, control and analysis, and automation of your email and file data. This means that your company will be protected and your costs will be reduced.