What are record-keeping obligations for DSAR responses?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Once you've responded to a Subject Access Request, your job isn't done. You need to document what happened. not just for compliance, but because a second request, an appeal, or a regulatory investigation can arrive later, and you'll need to be able to reconstruct what you did and when.

What to record for each DSAR:

  • When the request was received (date and channel)
  • The identity of the requester and how you verified it
  • What data was requested (or whether it was a general "all data" request)
  • What data you located and provided
  • What data you retained and why (suppression records, legal obligations, etc.)
  • When you sent the response and in what format
  • Whether the requester requested an extension and whether you granted one
  • Any follow-up correspondence

You don't have to provide this log to the requester. It's your internal compliance documentation. But if a Data Protection Authority investigates, they may ask for it.

How long to keep DSAR records: Most organizations keep DSAR records for three to six years. GDPR doesn't specify a period, but given that enforcement actions can come years after the fact and civil claims can be brought within the statute of limitations for civil claims in the relevant jurisdiction, keeping records for at least three years after the response is sent is defensible practice.

The practical gap: many email programs handle SARs on an ad hoc basis and don't formalize the record-keeping until after they've had a difficult second request or a follow-up investigation. Setting up a simple log. even a spreadsheet. before the first request arrives is worth doing.

For the response itself and what it should contain, see what to include in a SAR response. For handling deletion requests with the same level of documentation, see handling deletion requests securely.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me set up my DSAR documentation process

I want to set up a proper process for documenting DSAR responses. I've handled a few requests in the past but haven't kept formal records. Help me build a simple record-keeping system, what to capture, how to store it, and how long to keep it.

Edit the yellow boxes, then send to the AI of your choice.