Guide
If your organization handles personal data, you have likely encountered—or will soon encounter—a data subject access request (DSAR). A DSAR grants individuals the legal right to request information about the personal data your organization collects, stores, and processes. Privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) make DSAR compliance mandatory. Failure to comply can lead to significant financial penalties and damage to your organization’s reputation.
Meeting DSAR requests is often complex and resource-intensive, especially when data is dispersed across multiple platforms and collaboration tools. It can be made easier with this DSAR guide. Ignoring or mishandling these requests not only invites regulatory penalties but also undermines trust with clients and stakeholders. For attorneys and legal professionals tasked with managing compliance, having the right tools and processes in place is crucial. This comprehensive guide outlines DSAR requirements and demonstrates how Hanzo’s suite of products helps legal teams respond efficiently and confidently. Inside you’ll see:
DSAR compliance is an organization’s ability to receive, process, and respond to data subject access requests (DSARs) correctly, completely, and within the legal timeframes set by applicable privacy regulations.
A data subject access request is a formal mechanism through which individuals exercise their legal right to know what personal data an organization holds about them, how that data is used, who it is shared with, and how long it will be retained. Under laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), responding to these requests is a legally enforceable obligation.
Organizations that mishandle DSARs face financial penalties (GDPR fines can reach €20 million or 4% of global annual turnover), regulatory investigations, and serious reputational damage. More immediately, they face the operational challenge of responding accurately, within tight deadlines, across increasingly fragmented data environments.
DSAR compliance obligations arise from multiple overlapping privacy laws. The key frameworks to understand are:
GDPR (EU/UK) — Article 15 of the General Data Protection Regulation grants EU and UK data subjects the right to access their personal data. Organizations must respond within one calendar month. Extensions of up to two further months are permitted for complex or high-volume requests, but only if the data subject is informed within the initial one-month window.
CCPA / CPRA (California) — The California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives California residents the right to know what personal information businesses collect, use, disclose, and sell. Businesses subject to CCPA must respond within 45 days, with a possible 45-day extension.
UK GDPR — Post-Brexit, the UK maintains its own data protection framework that mirrors GDPR in most material respects, including the one-month DSAR response deadline.
Other jurisdictions — Privacy laws in Canada (PIPEDA), Australia (Privacy Act), Brazil (LGPD), South Korea (PIPA), India (DPDP Act), and dozens of other countries include data access rights with their own timelines and requirements. Organizations operating internationally must navigate these overlapping obligations simultaneously.
Understanding which regulation governs a given request — and what that regulation specifically requires — is the first step in any DSAR compliance program.
A compliant DSAR response must confirm whether the organization processes the individual’s personal data and, if so, provide:
Partial or inaccurate responses are a significant compliance risk. Regulators treat incomplete disclosures — whether accidental or deliberate — as failures to comply with the access right.
| Regulation | Initial Deadline | Extension Available | Extension Period |
| GDPR (EU) | 1 calendar month | Yes (complex/high volume) | Up to 2 additional months |
| UK GDPR | 1 calendar month | Yes | Up to 2 additional months |
| CCPA/CPRA | 45 days | Yes | 45 additional days |
| LGPD (Brazil) | 15 days (confirmation); 30 days (full response) | No | — |
| PIPEDA (Canada) | 30 days | Yes (with notice) | Up to 30 additional days |
The clock starts from the date the request is received — not the date it is assigned, reviewed, or validated. Organizations that fail to start the response process immediately upon receipt routinely miss deadlines, not because of inadequate resources, but because of delayed intake.
There is no required format for submitting a DSAR. Individuals can make requests via email, a web form, social media, in writing, or verbally. All staff who interact with customers or members of the public should be trained to recognize a DSAR and escalate it immediately to the designated owner.
Send an acknowledgment promptly — within a few business days at most. The acknowledgment should confirm receipt, note the expected response timeframe, and describe any identity verification steps required.
Before disclosing personal data, verify that the requester is who they claim to be. GDPR requires “reasonable measures” — not excessive barriers, but sufficient verification to prevent unauthorized disclosure.
Appropriate verification methods include:
Avoid requiring disproportionate documentation. Asking a customer to provide a notarized ID in response to a straightforward access request would likely constitute an unlawful impediment to exercising their rights.
If the request is unclear or unusually broad, you may contact the requester to seek clarification — but only where genuinely necessary, and only for the purpose of identifying the relevant information. Requesting clarification does not pause the response clock under GDPR; use it sparingly and promptly.
This is where DSAR compliance becomes operationally demanding. Personal data subject to a DSAR may be held across:
A single individual may have interacted with the organization across dozens of digital touchpoints. Failing to search all relevant systems — even legacy ones — creates the risk of an incomplete response.
Hanzo’s Illuminate platform is built specifically for this challenge. It enables legal, risk, and compliance teams to identify, collect, and review data across modern collaboration environments including Slack, Microsoft Teams, and Confluence, using AI to map data connections and prioritize relevant content — significantly reducing the time and manual effort required.
Not all data retrieved through a system search will be disclosable. Reviewers must:
Consistency in redaction is critical. Inconsistent redactions across responses to related requests — or between a DSAR response and documents disclosed in subsequent litigation — create serious legal exposure.
The response package must include the required information set out above. Deliver it securely — via a password-protected file, encrypted email, or a secure portal. Standard unencrypted email may be inappropriate for sensitive personal data.
If a request is refused in full or in part, provide a clear explanation of the reason, cite the applicable legal exemption, and inform the individual of their right to complain to the relevant supervisory authority and to seek judicial remedy.
Maintain complete records of every DSAR: when it was received, how identity was verified, what searches were conducted, what data was retrieved, what exemptions were applied, when and how the response was delivered, and how long it took. This documentation is your primary defense in the event of a regulatory investigation or legal challenge.
Privacy regulations permit organizations to withhold certain information in specific circumstances. Exemptions must be applied carefully and justified — they are not a general mechanism for limiting disclosure.
Key GDPR exemptions include:
Legal professional privilege — Information protected by legal advice privilege or litigation privilege does not need to be disclosed.
Third-party data — Where disclosing data would reveal personal information about another identifiable individual who has not consented, and it is not reasonable to disclose without that consent, the third-party data may be withheld (but the remaining data should still be provided).
Crime and law enforcement — Data collected for the prevention or detection of crime, or the assessment or collection of tax, may be exempt.
Management forecasting — Disclosures that would prejudice the conduct of the organization’s business by revealing management forecasts or plans may be exempt in some circumstances.
Manifestly unfounded or excessive requests — Where a request is clearly abusive or repetitive, the organization may charge a reasonable fee or refuse, but must demonstrate the basis for doing so.
Applying an exemption does not mean withholding the entire response. Only the specific information covered by the exemption can be withheld; everything else must still be disclosed.
Employee DSARs deserve special attention. They are often triggered by employment disputes or investigations, making them simultaneously a data privacy obligation and a litigation risk.
Key considerations for employee DSARs:
Timing: An employee DSAR during active litigation or disciplinary proceedings can be used as informal discovery. Respond accurately and completely, but ensure the legal team is closely involved.
Modern organizations run on dozens of communication and collaboration platforms. The days when responding to a DSAR meant searching an email archive are long gone.
Effective DSAR compliance in a complex digital environment requires:
Hanzo’s platform integrates these capabilities for legal teams managing high-volume or complex DSAR environments. Illuminate handles collection and review across modern collaboration platforms; Chronicle preserves web and social media content — including the exact state of pages at specific points in time — for requests that include online interactions; and Spotlight AI identifies patterns across related requests to improve consistency and reduce duplicative effort.
Responding to individual DSARs is a tactical capability. Building a DSAR compliance program is a strategic one. Organizations that manage DSARs reactively — treating each one as a one-off exercise — incur far higher costs and risks than those with structured, repeatable processes.
A mature DSAR compliance program includes:
Non-compliance with DSAR obligations exposes organizations to significant regulatory action:
GDPR — Fines of up to €20 million or 4% of global annual turnover, whichever is higher, for infringement of data subject rights. The UK Information Commissioner’s Office (ICO) actively investigates and upholds DSAR complaints; in many cases, organizations receive reprimands and enforcement notices that require remedial action within defined timeframes, with escalating penalties for continued non-compliance.
CCPA/CPRA — The California Privacy Protection Agency (CPPA) can impose civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation. Class-action litigation risk is also significant for consumer data breaches arising from mishandled access requests.
Reputational damage — Regulatory decisions are often published. A finding that an organization systematically failed to respond to data access requests is a public record.
Enforcement is increasing. Data protection authorities across Europe have significantly ramped up DSAR-related enforcement in recent years. Organizations that treat DSAR compliance as a low-priority administrative exercise do so at considerable risk.
Hanzo’s suite of products is designed specifically for legal, compliance, and risk teams managing complex data environments:
Illuminate: Collects and reviews personal data across modern collaboration platforms including Slack, Microsoft Teams, and Confluence. AI-powered relevance filtering and data mapping reduce manual effort and improve response accuracy.
Chronicle: Captures websites and social media content exactly as users experienced them, with full version history and legally defensible export. Essential for DSARs that include web interactions, form submissions, or consent records.
Spotlight AI: Identifies patterns across DSAR requests and related documents, improving consistency, reducing duplicative work, and maintaining defensible audit trails.
Together, these tools provide the technology foundation for a DSAR compliance program that can handle high volumes, complex data environments, and regulatory scrutiny — without relying on manual, fragmented workflows that break under pressure.
Hanzo is committed to supporting legal and compliance professionals through every step of DSAR management. Whether you are refining existing workflows or building a compliance program from the ground up, Hanzo’s solutions provide the technology foundation necessary to meet today’s data privacy challenges. Contact us to discuss your compliance needs.
