Responding to Data Subject Access Requests (DSARs)

Imagine receiving an email from a customer asking, “What data do you have on me?” If your immediate reaction is panic, you’re not alone. Data Subject Access Requests (DSARs) can seem daunting. But having a clear plan can help.

Here’s the good news: when you understand the process, DSAR responses are easier. They can also show your company’s dedication to privacy compliance.

In this blog post, we’ll guide you on handling customer data requests. We’ll cover legal obligations, best practices, and useful tips. This will help you stay efficient, trustworthy, and confident. Whether you manage a small online shop or a large eCommerce team, you’ll feel ready to handle your next DSAR with confidence.

Ready to dive in? Let’s get started!

What Is a Data Subject Access Request (DSAR)?

Understanding the Basics

People can access their personal data from organisations. This is due to laws like GDPR and the UK Data Protection Act 2018. A DSAR allows customers to request:

• Confirmation that you process their data
• Access to their personal information
• Details about how their data is used
• Information on who their data is shared with
• The retention period for their data

Example: If a customer wants to see all their personal info on your eCommerce site, that’s a DSAR. This includes things like purchase history and saved addresses.

Why Proper DSAR Handling Matters

Legal Compliance

Failing to respond properly can lead to serious fines. For instance, GDPR violations can cost up to €20 million or 4% of your annual turnover — whichever is higher.

Customer Trust

Efficient, transparent handling shows customers you value their privacy. Trust is priceless in today’s eCommerce landscape.

Operational Efficiency

A smooth DSAR process saves time and cuts stress. It also lowers the chance of costly mistakes.

Key Insight: In 2023, the UK Information Commissioner’s Office (ICO) got a lot more complaints about DSARs. Being proactive keeps your business off their radar.

Step-by-Step Guide to Responding to a DSAR

Step 1: Recognise a DSAR

DSARs don’t have to follow a specific format. They might arrive via:

• Email
• Website contact forms
• Social media
• Even verbal requests (though written confirmation is advisable)

Tip: Train all frontline staff to recognise DSARs and escalate them immediately.

Step 2: Verify the Identity of the Requestor

Before disclosing any personal information, confirm the person’s identity:

• Request proof of ID (passport, driver’s licence)
• Cross-verify email addresses or order numbers

Important: Be proportionate. Only ask for essential information and explain why you need to verify it.

Step 3: Understand the Request Fully

Clarify the scope of the request if needed:

• Is the customer asking for all data or data relating to a specific interaction?
• Are they requesting deletion, correction, or just access?

If the request is broad, you can ask them to narrow it down, but you cannot refuse service if they don’t.

Step 4: Locate the Data

Search all relevant systems, including:

• CRM platforms
• Email accounts
• Cloud storage
• E-commerce platforms
• Payment processors

Don’t forget physical records, if applicable!

Pro Tip: Maintain a data inventory and map your data flows to make this process easier and quicker.

Step 5: Prepare the Response

The DSAR response should include:

• A copy of the personal data
• Details of data processing activities
• Categories of data processed
• Recipients or categories of recipients
• Retention periods
• The individual’s rights under GDPR

Keep the format clear and user-friendly. Use plain English rather than dense legal jargon.

Step 6: Deliver the Response Securely

• Send data using secure methods (encrypted emails, password-protected files)
• Provide access in a commonly used electronic format (PDF, CSV)

Tip: If transferring large amounts of data, use secure file-sharing platforms.

Step 7: Log the Request

Maintain internal records of:

• Date received
• Nature of the request
• Verification steps
• Steps taken to fulfil it
• Date responded

Audit trails demonstrate your compliance efforts if ever challenged.

Timelines for DSAR Responses

Standard Deadline

You must respond within one month of receipt.

Extensions

You can extend by up to two additional months if the request is complex.

However:

• Notify the requestor within the first month.
• Explain why an extension is necessary.

Example: A simple request for purchase history likely needs no extension. A request involving multiple systems, archived files, and third-party disclosures might.

Common Challenges and How to Overcome Them

Handling Excessive or Repetitive Requests

You can refuse a DSAR if it is “manifestly unfounded or excessive,” but tread carefully. Always document your reasoning thoroughly.

Third-Party Data Issues

Sometimes personal data also involves other individuals (e.g., joint account holders). You must protect third-party rights by redacting or excluding certain information.

Resource Constraints

DSARs can strain small teams. To manage:

• Create standardised templates
• Automate parts of the process with compliance tools
• Assign DSAR duties clearly within your team

Best Practices for Future-Proof DSAR Management

Maintain Clear Privacy Notices

Set customer expectations from the start with transparent privacy notices.

Regular Staff Training

Train all employees to spot DSARs. Handle data with care. If issues arise, escalate them.

Build a DSAR Toolkit

Prepare templates for:

• Acknowledgement emails
• ID verification requests
• Data provision responses
• Extension notifications

Having pre-approved templates ensures consistency and saves precious time.

Conduct Mock DSAR Drills

Periodically simulate DSAR requests internally to:

• Test your process
• Identify bottlenecks
• Fine-tune your response protocol

Quote to Remember: “You don’t rise to the occasion; you fall to the level of your preparation.” — Archilochus

Real-World Example: A DSAR Done Right

Scenario: An eCommerce clothing brand received a DSAR from a long-time customer.

Action Plan:

• The customer support team recognised and escalated the request promptly.
• Identity was verified using an order confirmation email and billing address.
• Data was pulled from CRM, email marketing lists, and transaction histories.
• The response was prepared with clear, plain-language explanations.
• Data was sent via encrypted email within three weeks.

Outcome: The customer appreciated the brand’s professionalism and honesty. As a result, they became a loyal advocate.

Key Takeaway:

Good DSAR handling isn’t just about ticking boxes. It’s about building stronger relationships through trust.

Conclusion: Responding to Data Subject Access Requests (DSARs)

Mastering DSAR responses is no longer optional. Today, privacy expectations are high. It’s crucial to handle customer data requests carefully and quickly. Doing so builds trust and keeps you compliant with privacy rules.

Stay organised, build strong internal processes, and think like your customers. This way, you can change a legal headache into a competitive edge.

Your Next Step?

Take 30 minutes this week to audit your DSAR response readiness. Identify any gaps, draft your templates, and prep your team. The next DSAR that comes through your inbox won’t be a source of panic — it’ll be an opportunity to shine.