What is the first thing I should do when I receive a DSAR?

The first thing you should do is log the request immediately — record the date received, the requester's name and email, and what they've asked for. Then calculate your 30-day deadline (calendar days, not working days). Send a brief acknowledgment to the requester confirming you've received their request.

How do I search for someone's personal data across all our systems?

Search systematically across all systems: email (to/from/about the person), CRM and databases (customer records, contact details, purchase history), HR systems (if an employee request), shared drives (documents, spreadsheets mentioning them), third-party systems (marketing platforms, payment processors, support tools), and paper files. Document what you searched, when, and who did it.

What systems should I check when responding to a DSAR?

Check: email systems, CRM/customer databases, HR and payroll systems (for employee requests), file servers and shared drives, cloud storage (Google Drive, OneDrive, Dropbox), marketing platforms (Mailchimp, HubSpot), payment processors, support ticketing systems, website analytics, CCTV footage, access logs, backup systems, and paper files.

How should I send the DSAR response securely?

Send your response via: encrypted email (password-protected attachments with password sent separately), a secure file sharing portal with access controls, or tracked postal mail for physical documents. Never send unencrypted personal data via regular email. Confirm delivery and keep proof of when the response was sent.

What should be included in a DSAR response letter?

Your response letter should include: confirmation you hold their data, a summary of what data you're providing, the purposes you process it for, who you've shared it with, how long you keep it, their rights (rectification, erasure, restriction, complaint to regulator), and an explanation of any redactions made. Attach all the relevant personal data documents.

How long should I keep DSAR records?

Keep all DSAR records for at least 6 years. This includes: the original request, identity verification evidence, search records, redaction records, the final response sent, and any correspondence. This covers the limitation period for most legal claims and demonstrates compliance if a regulator investigates.

GDPR DSAR Response Checklist for Small Businesses (2026)

A practical, step-by-step checklist to help you respond to data subject access requests correctly and on time. Designed for business owners, office managers, and IT admins.

📅 Response Timeline

Day 0

Request received

Days 1-3

Log & verify

Days 4-20

Gather & redact

Days 21-30

Review & send

1 Phase 1: Immediate Actions (Days 1-3)

☐
Log the request Record the date received, requester's name, email, and what they've asked for
☐
Set the deadline Calculate 30 calendar days from receipt (not working days)
☐
Acknowledge receipt Send a brief confirmation that you've received the request
☐
Verify identity Confirm the requester is who they claim to be before processing
☐
Assess the request Is it clear? Do you need to ask for clarification?

2 Phase 2: Data Gathering (Days 4-20)

☐
Search email systems Search for emails to/from/about the data subject
☐
Search CRM/database Customer records, contact details, purchase history
☐
Check HR systems If employee request: personnel files, payroll, performance records
☐
Check shared drives Documents, spreadsheets, presentations mentioning them
☐
Check third-party systems Marketing platforms, payment processors, support systems
☐
Check paper files Physical documents, signed forms, printed correspondence

3 Phase 3: Redaction (Days 15-25)

🔒 Critical step

You must redact third-party personal data before sending. Failure to do so is a data breach.

☐
Identify third-party data Names, emails, phone numbers of other people in documents
☐
Redact permanently Use proper redaction tools — not just highlighting or white boxes
☐
Check metadata Remove hidden data in documents (author names, track changes)
☐
Review redactions Have a second person check the redacted documents

Read the full redaction guide →

4 Phase 4: Response (Days 21-30)

☐
Prepare cover letter Explain what data you're providing and required GDPR disclosures
☐
Include processing information Purpose, legal basis, recipients, retention period, rights
☐
Compile response package Cover letter + all relevant personal data documents
☐
Final review Check everything is complete and correctly redacted
☐
Send securely Encrypted email, secure portal, or tracked post

5 Phase 5: Record Keeping

☐
Save the original request Keep the email/form with timestamp
☐
Document identity verification How you confirmed who the requester was
☐
Log search activities What systems were searched, when, by whom
☐
Keep redaction records What was redacted and why
☐
Save response copy Copy of everything you sent with date/time
☐
Retain for appropriate period Keep records for at least 6 years (statute of limitations)