How to handle DSAR (Data Subject Access Request)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Someone emails you and says: "I'd like to see all the data you hold on me." That's a Data Subject Access Request (DSAR), and depending on where your subscribers live, you're legally required to respond. Under GDPR (EU and UK), CCPA (California), and similar laws, people have the right to know exactly what personal data you hold and how you're using it.
The workflow isn't complicated, but you do need to follow it consistently. Here's how to handle a DSAR from start to finish.
Step 1: Acknowledge immediately
As soon as you receive the request, send a confirmation. Let the person know you got it and that you'll respond within the required timeframe. Under GDPR that's one calendar month. Under CCPA it's 45 days. Don't wait until you've done the research to send that first reply.
Step 2: Verify their identity
You need to confirm this is actually the person asking about their own data. For email marketing, that usually means checking that the request came from the same address you have on file, or sending a simple verification link. Keep the method proportionate to the sensitivity of the data. You don't need a passport scan for a newsletter subscription.
Step 3: Gather all their data
This is where most senders underestimate the scope. You need to search everywhere that subscriber's data might live. That includes your ESP (think Mailchimp, Klaviyo, HubSpot), your CRM, your analytics tools, backups, and any third-party integrations. The data you're compiling should cover their email address, name, profile attributes, consent records, preference settings, engagement history, and any segmentation tags. Under GDPR you also need to include the purposes you're processing that data for, where it came from, and who you've shared it with.
Step 4: Redact anything that isn't theirs
If your data includes references to other people (say, someone who referred them), redact those details before you send. The requester has a right to their own data, not anyone else's.
Step 5: Deliver the response securely
Send the compiled data in a clear, readable format within your deadline. A plain document or structured email is fine. You don't need to provide it in a machine-readable file for a basic DSAR (that's more relevant to portability requests).
Step 6: Document everything
Write down when you received the request, how you verified identity, what data you provided, and when you sent your response. This record protects you if the requester or a regulator ever questions your process later.
One thing worth knowing: a DSAR is not the same as a deletion request. Some people use them interchangeably, but they're different rights. A DSAR gives someone a copy of their data. A deletion request (the right to erasure) asks you to remove it. You can receive both at the same time, but they're handled differently.
Still the best time to set up your DSAR workflow is before you receive your first request. That means knowing which systems hold subscriber data, having a verified identity check ready, and keeping a simple log template on hand. Scrambling to figure it out after someone's already waiting is not a fun situation to be in. (Ask anyone who's tried to pull engagement data from six different tools in a hurry.)
If you're not sure whether your current setup is GDPR-ready or you've just received your first DSAR and you're not sure where to start, our SOS hotline is free and we'll actually help you work through it.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.