Of all the data subject rights, the right of access — exercised through a subject access request — is the one you are most likely to receive and the one that takes the most work to handle well. Getting your DSAR process right is a practical, high-frequency test of your GDPR compliance.
This guide explains what you must provide, the deadlines and fees, how to verify identity, search and redact, apply exemptions, and build a process that handles requests smoothly.
What a subject access request is
A subject access request (DSAR) is how an individual exercises their right of access under GDPR: they ask you for a copy of the personal data you hold about them, plus information about how and why you process it. It is one of the most frequently exercised rights — and often the most resource-intensive to handle.
Anyone can make a DSAR, in writing or verbally, to any part of your organisation, and you must be able to recognise and act on it wherever it lands.
What you must provide
In response to a DSAR you must give the person a copy of their personal data and a set of supplementary information: the purposes of processing, the categories of data, the recipients, the retention period, the source of the data, the existence of their other rights, and whether any automated decision-making is involved.
Much of the supplementary information mirrors your privacy notice, so a good notice makes responding easier.
Free resource
The Ultimate Guide to GDPR
Respond to access requests on time with a clear, repeatable DSAR workflow.
The one-month deadline
You must respond without undue delay and within one month of receiving the request. For complex or numerous requests you can extend by a further two months, but you must tell the person within the first month and explain why.
The clock starts when you receive the request, not when you get around to it — so logging requests promptly and tracking deadlines is essential.
Usually free of charge
DSARs must normally be handled free of charge. You can only charge a reasonable, administration-based fee, or refuse, where a request is manifestly unfounded or excessive — for example, repetitive requests clearly intended to cause disruption.
The bar for “unfounded or excessive” is high, so most requests should be answered without a fee.
Verifying identity
Before releasing data you should verify the requester’s identity using proportionate checks, so you don’t disclose personal data to the wrong person. If you have reasonable doubts, you may ask for information to confirm identity — and the response clock can pause until you receive it.
Keep verification proportionate: demanding excessive proof can itself become an obstacle to a legitimate request.
Searching for the data
The hardest part of a DSAR is usually finding all the relevant data. Personal data can sit in databases, CRM systems, emails, support tickets, spreadsheets, call recordings and backups. You must make reasonable and proportionate efforts to locate it across your systems.
A current data map showing where personal data lives turns this from a stressful scramble into a structured search.
Third-party data and redaction
A response often contains data about other people — names in emails, details of colleagues. You must avoid adversely affecting others’ rights, which usually means redacting third-party information unless those individuals have consented or it is reasonable to disclose.
Balancing the requester’s right of access against third parties’ privacy is one of the more delicate parts of handling a DSAR.
Exemptions
Certain data can be withheld under exemptions. Common examples include legally privileged material, information that would prejudice the prevention or detection of crime, and confidential references. National law sets out the detail, and exemptions are generally specific rather than blanket.
Where you rely on an exemption to withhold data, record your reasoning so the decision is defensible.
Handled well, this is one more building block of practical GDPR compliance.
Format of the response
Where the request is made electronically, you should provide the response in a commonly used electronic format unless the person asks otherwise. The data and supplementary information should be concise, transparent and intelligible, using clear language.
A wall of raw data dumps is rarely acceptable — the person should be able to understand what you hold and why.
What a DSAR is not
A DSAR is a right to your data, not a general right to documents or answers. People sometimes use DSARs to obtain information for disputes or litigation, but the right is about their personal data, not every document that mentions a topic.
You should still respond fully to the personal data element, while recognising that the request does not oblige you to act as a general disclosure exercise.
Handling high-volume requests
Some DSARs are huge — years of emails and records. The law allows the two-month extension for genuinely complex cases, and you can ask the requester to clarify the scope where you process a large amount of data, which can pause the clock. Clarification should help the person, not be used to obstruct them.
For organisations that receive many requests, tooling that searches and redacts efficiently is a worthwhile investment.
Building a DSAR process
A reliable DSAR process has clear stages: recognise and log the request, verify identity, clarify scope if needed, search all systems, review and redact, compile the supplementary information, and respond within the deadline. Train staff so any team member can spot a request and route it correctly.
With a defined workflow, DSARs become predictable rather than disruptive.
Common mistakes
The usual failings are: not recognising a request because it didn’t use the words “subject access request”, missing the deadline, searching only the obvious systems, disclosing third-party data without redaction, and over-using the “manifestly excessive” refusal. Each is avoidable with training and a defined process.
Treat every request as genuine until shown otherwise, and respond helpfully — it is both the legal and the sensible course.
How ISpectra helps
A smooth, reliable DSAR process is a clear marker of practical GDPR compliance. ISpectra Technologies helps organisations build DSAR workflows, map where personal data lives so it can be found, set up identity verification and redaction, and train staff to recognise and route requests — turning a common compliance pain point into a routine.
If access requests currently consume days of scrambling, a short review will show you how to streamline them.
In one paragraph
A subject access request is how someone exercises their right of access: you must give them a copy of their personal data plus supplementary information about the processing, within one month and usually for free. Verify identity first, search across all your systems, redact third-party data, and apply any exemptions with documented reasoning. You can extend by two months for complex cases and ask for clarification of scope where you hold a lot of data. The reliable answer is a defined workflow — recognise, verify, search, review, respond — supported by a data map so you can actually find everything you hold.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
Why DSARs deserve real attention
It is tempting to treat DSARs as an administrative nuisance, but they carry disproportionate risk and opportunity. A mishandled request — missed deadline, incomplete search, or careless disclosure of someone else’s data — is one of the most common reasons individuals complain to regulators, and the failure is easy to evidence: the deadline either was or was not met.
Handled well, the same request becomes a trust-building moment that shows you take people’s data seriously. Because DSARs also force you to know where personal data lives, a strong DSAR capability tends to improve your wider data governance — better inventories, cleaner systems, faster erasure and breach response. In that sense, investing in DSAR readiness is really investing in the health of your whole data estate.