Disclosure: BusinessConnect earns affiliate commissions from some links on this page. This does not affect our recommendations.

Data Subject Access Requests (DSAR) — A Simple Guide for Businesses

Published 2026-04-03 · BusinessConnect

What Exactly Is a DSAR and When Must You Respond

A Data Subject Access Request (DSAR) is a formal request from an individual to see what personal data your business holds about them. Under GDPR Article 15, every person has the right to obtain confirmation of whether their data is being processed and, if so, access to that data along with specific supplementary information.

Key facts about DSARs that every business must know:

Response deadline: 30 calendar days from receiving the request. This can be extended by an additional 60 days for complex requests, but you must inform the requester within the first 30 days that you need the extension.
No charge: You must provide the information free of charge for the first request. You may charge a 'reasonable fee' for manifestly excessive or repetitive requests — but 'excessive' is interpreted very narrowly by regulators.
Any format counts: A DSAR does not need to use specific language or cite GDPR by name. An email saying 'What data do you have about me?' qualifies.
Verbal requests count: Even a phone call asking about personal data is technically a DSAR. Best practice: follow up in writing to confirm what was requested.

Step 1: Receiving and Logging the Request

When a DSAR arrives, the clock starts immediately. Your first actions:

Log the request: Record the date received, the requester's name, contact details, and exactly what they are asking for (all data, specific data, deletion, rectification, etc.). Use a simple spreadsheet if you do not have a dedicated system.
Acknowledge receipt: Send a confirmation email within 2-3 business days, stating: 'We received your request on [date]. We will respond within 30 days as required by GDPR.' This is not legally required but demonstrates good faith and buys you goodwill if you need more time.
Categorize the request type: Is it an access request (show me my data), a rectification request (fix my data), an erasure request (delete my data), or a portability request (give me my data in a machine-readable format)? The response process differs for each.
Set a calendar reminder for day 20 — if you have not responded by then, you need to escalate.

Step 2: Verifying the Requester's Identity

Before releasing any personal data, you must verify that the person requesting it is actually the data subject — not someone impersonating them. Getting this wrong exposes you to liability in both directions: releasing data to the wrong person is a data breach; refusing a legitimate request is a GDPR violation.

Proportionate verification methods:

Existing customers: If the request comes from an email address already in your system linked to their account, this is usually sufficient. You can additionally ask them to confirm a piece of information only they would know (last transaction date, account creation date).
Non-customers (e.g., website visitors): Ask for enough information to locate their data — such as the email address they used on your site. Do not request disproportionate identification like a passport copy unless you hold particularly sensitive data.
Third-party requests (e.g., lawyer acting for the data subject): Request a signed authorization letter from the data subject confirming the third party is authorized to act on their behalf.

The verification process must be completed within the 30-day window — not in addition to it. Budget 5-7 days for verification so you have time left to gather and package the data.

Step 3: Finding and Collecting All Relevant Data

This is the most time-consuming step for most businesses. You need to search every system where the person's data might exist:

CRM / client database: Contact details, notes, interaction history, deal stages, tags, custom fields.
Email: Search your email inbox for correspondence with this person. The emails themselves contain personal data.
Invoicing / accounting: Invoices, payment records, transaction history.
File storage: Documents, contracts, proposals containing their data.
Analytics: If you can identify specific user sessions (e.g., through a user ID linked to analytics), this data is in scope.
Backups: Data in backup systems is technically in scope, though regulators generally accept that backup deletion follows normal rotation schedules.
Third-party tools: Check Mailchimp (subscriber data), HubSpot (contact records), Stripe (payment data), etc.

Create a checklist of every system you use and check each one. Missing a system is a common cause of incomplete responses, which is itself a violation.

Step 4: Packaging and Sending the Response

Your response must include the data itself plus specific supplementary information required by Article 15:

Information to include with the data:

The purposes of processing (why you have their data)
The categories of personal data you hold
The recipients or categories of recipients you shared it with
The retention period or criteria for determining it
Their right to rectification, erasure, restriction, or objection
Their right to lodge a complaint with a supervisory authority
If data was not collected from them directly, the source of the data

Format: Provide the data in a commonly used electronic format. A PDF is standard for access requests. For portability requests, use CSV or JSON. Do not send data in proprietary formats that require specific software to open.

Security: Send the response through a secure channel. Email with a password-protected PDF attachment is acceptable. Include the password in a separate communication (e.g., text message or a separate email).

Redaction: If the data contains information about other people, redact their details before sending. You cannot share one person's data to fulfill another person's DSAR.

Automating DSAR Handling for Growing Businesses

Manually handling DSARs is feasible when you receive one or two per year. But as your business grows — or if you operate in a sector with high request volumes — the manual process breaks down quickly.

Clym includes a built-in data subject request portal that automates much of this workflow:

A branded web form where data subjects can submit requests, automatically categorized by type (access, deletion, rectification, portability)
Built-in identity verification steps
Automatic deadline tracking with escalation alerts
Response templates compliant with Article 15 requirements
A complete audit trail of every request and response

The audit trail alone is worth the investment — if a regulator ever investigates a DSAR complaint, being able to show a documented, timestamped process significantly reduces your exposure.

Set up automated DSAR handling with Clym

Frequently Asked Questions

Do small businesses really need to comply with GDPR?

Yes. GDPR applies to any business that processes personal data of EU residents, regardless of business size. Fines have been issued to companies with as few as 1-10 employees.

What's the fastest way to make my website GDPR compliant?

The fastest approach is using an all-in-one compliance tool like Clym that handles cookie consent, privacy policy, and data requests in a single integration.

How much do GDPR fines cost for small businesses?

Fines can reach up to 4% of annual turnover or 20 million euros, whichever is higher. In practice, small business fines typically range from 5,000 to 100,000 euros.