How to handle DSARs (data subject requests) under GDPR
Data subject requests are one of the most practical parts of GDPR. They do not appear in policies or procedures. They arrive in everyday communication — emails, contact forms, customer support messages. And they always come with one critical constraint: time.
Under GDPR, organizations are required to respond without undue delay, usually within one month. What seems manageable in theory often becomes difficult in practice, especially when requests are not properly recognized or handled.
Understand how GDPR implementation connects with DSAR handling: How to implement GDPR in a small business – step-by-step guide
What is a DSAR?
A DSAR, or Data Subject Access Request, is a request made by an individual to access their personal data held by an organization.
In reality, however, organizations rarely deal with access requests alone. Individuals may also ask for their data to be deleted, corrected or restricted. While DSAR technically refers to access, in practice it is often used as a broader term for different types of data subject requests.
The real challenge: recognizing the request
One of the most common issues is not the response itself, but the ability to recognize that a request has been made. Requests rarely follow a formal structure. They appear as simple messages — a short email asking for data, a request to delete an account, or a question about stored information. From a legal perspective, the form does not matter. What matters is the intent. If an individual asks about their data, GDPR obligations are already triggered.
And this is where many organizations fail.
Why DSAR handling becomes difficult
The challenge is rarely legal complexity. It is operational. Requests are often scattered across different channels. There is no single place where they are registered, no clear ownership, and no consistent way of handling them. As a result, responses may be delayed, incomplete or inconsistent. In some cases, the organization is not even able to confirm whether a request has been handled at all.
This is not just a compliance issue. It is a lack of control.
DSAR is a process, not a task
Handling a request is not a single action. It is a sequence of steps that must be performed consistently. Data needs to be located across systems, reviewed, and prepared for response. At the same time, the organization must ensure that only the appropriate data is disclosed and that all actions are properly documented. In many cases, personal data is distributed across multiple environments — CRM systems, email inboxes, internal tools or archives.
Without a structured process, consistency becomes almost impossible.
What proper DSAR handling looks like
Organizations that handle DSARs effectively do not rely on individual decisions or ad hoc responses.
Instead, they follow a defined approach where each request is registered, verified and assigned to a responsible person. The process is monitored, deadlines are controlled, and actions are documented along the way.
This does not make the process more complex. It makes it manageable.
The most common mistake: treating DSAR as customer support
A frequent mistake is treating data subject requests as part of customer service. At first glance, this may seem logical. Requests arrive through the same channels and are handled by the same people. However, this approach leads to fragmented communication, lack of accountability and no clear audit trail. And this is exactly what creates risk during inspections.
Because the key question is not whether a response was sent, but whether the organization can demonstrate how the request was handled.
Why manual tracking quickly breaks down
At a small scale, tracking requests through email or spreadsheets may seem sufficient. But as the number of requests increases, visibility decreases. Deadlines become harder to control, responsibilities are unclear, and consistency is lost. What initially seemed simple becomes difficult to manage.
This is the point where organizations realize that the problem is not the request, but the lack of structure.
How to manage DSARs effectively
Organizations that handle DSARs well approach them as part of a broader system. Requests are centrally registered, responsibilities are clearly assigned, and deadlines are monitored in a consistent way. The entire process is documented, making it possible to demonstrate compliance when needed.
The goal is not only to respond, but to stay in control.
Explore full GDPR system functionalities supporting DSARs, workflows and compliance.
DSARs as part of GDPR operations
Handling DSARs is closely connected with other GDPR processes. To respond properly, organizations need to know where data is stored, who has access to it, and how long it is retained. This means that DSAR handling depends on well-functioning processes such as data retention, access management and records of processing activities.
If those areas are not aligned, handling requests becomes fragmented and unreliable.
See how to manage DSARs, track requests and control deadlines in one system
DSARs and GDPR audits
Data subject requests are one of the first areas examined during GDPR audits. They are easy to verify and reveal how well the organization operates in practice. Authorities look at whether requests are registered, whether deadlines are met and whether responses are complete.
In many cases, this is where the real level of compliance becomes visible.
Summary
DSARs are not just a legal requirement. They are a practical test of how GDPR works inside an organization. When handled without structure, they quickly lead to chaos and risk. When managed as a process, they provide control and clarity.
The difference lies not in knowledge, but in execution.
