The request you need to be ready for
Imagine this scenario: a customer sends you an email that says, "I want to know what personal data you hold about me." Under the GDPR and equivalent privacy laws around the world, this is a Data Subject Access Request (DSAR), and you have a legal obligation to respond within a defined timeframe — typically 30 days under the GDPR, 45 days under the CCPA/CPRA.
This is not a hypothetical risk. The number of DSARs has grown steadily year over year, driven by increased consumer awareness, the proliferation of rights request portals, and — occasionally — by disgruntled customers or former employees who know their rights. Failing to respond within the deadline, or providing an incomplete response, can trigger a complaint to the supervisory authority and potentially a fine.
For small businesses without a dedicated legal or compliance team, handling a DSAR can feel overwhelming. But with the right process in place, it is manageable.
Step 1: Recognize the request
A DSAR does not have to use specific legal language. A customer might say "I want a copy of my data," "what information do you have about me?", "send me everything you know about me," or simply reference "my rights under GDPR." Any request where an individual asks to access personal data you hold about them should be treated as a DSAR.
DSARs can arrive via any channel — email, web form, social media, phone, or even in person. You do not need to provide a specific form or portal for submitting requests (though providing one makes your life easier). The obligation is triggered by the request itself, regardless of format.
Step 2: Verify the identity
Before disclosing any personal data, you need to confirm that the person making the request is who they claim to be. Disclosing personal data to the wrong person would itself be a data breach. The level of verification should be proportionate — if the request comes from an email address you already have on file for that customer, that may be sufficient. If the request comes from an unfamiliar channel, you may need to request additional identification.
Be careful not to collect excessive information during verification. Asking someone to provide their passport to verify an email address is disproportionate. The goal is to establish a reasonable level of confidence in the requester's identity.
Step 3: Locate the data
This is often the most time-consuming step, and the one where many businesses struggle. You need to identify all the personal data you hold on the individual — not just what is in your main database, but across all systems where their data might exist.
For a typical small business, this means checking your CRM, email marketing platform, analytics, customer support inbox, accounting software, payment processor records, and any spreadsheets or documents that might reference the individual. If you use tools like Shopify, Stripe, Mailchimp, HubSpot, or Xero, you likely have personal data distributed across multiple systems.
This is where having a data map is invaluable. If you know in advance which systems hold personal data and what categories of data each system stores, responding to a DSAR becomes a structured process rather than an ad-hoc investigation. Dxtra's data mapping capability creates this map during your initial setup, so when a request comes in, you already know where to look.
Step 4: Compile and review the response
Once you have located all the data, you need to compile it into a format that is clear and understandable to the individual. Under the GDPR, you must provide the data free of charge, in a commonly used electronic format if the request was made electronically.
Your response should include: the categories of personal data you process, the specific data points held about the individual, the purposes of processing, any recipients or categories of recipients the data has been shared with, the retention period, the source of the data if not collected directly, and information about the individual's rights (correction, deletion, objection, etc.).
Before sending the response, review it to ensure you are not inadvertently disclosing personal data about other individuals. If a database record contains information about multiple people, you need to redact the third-party data.
Step 5: Respond within the deadline
Under the GDPR, you have one calendar month from receipt of the request. This can be extended by a further two months for complex or numerous requests, but you must inform the individual within the first month that an extension is needed and explain why.
Under the CCPA/CPRA, the deadline is 45 calendar days, extendable by a further 45 days with notice.
Track every DSAR with a log that records the date received, the verification steps taken, the systems searched, the date of response, and the content provided. This log is your evidence in case of a regulatory inquiry.
Step 6: Learn from the process
Every DSAR is an opportunity to improve your data governance. If the process was difficult — if you did not know where data was stored, if you discovered data you did not know you had, if you missed the deadline — those are signals that your data management practices need attention.
Common improvements after handling a first DSAR include: creating or updating your data map, reducing the number of systems that store personal data (data minimization), implementing automated data discovery, and establishing a documented DSAR procedure so that any team member can handle the next request.
Automating the workflow
For businesses that receive more than occasional DSARs, manual handling quickly becomes unsustainable. Dxtra's Data Subject Rights Management automates the core workflow: requests are submitted through the rights portal in your Transparency Center (or logged manually in the dashboard), identity verification is guided, relevant data sources are flagged based on your data map, deadline tracking and alerts help you stay ahead of regulatory timelines, and response templates help you produce thorough, compliant replies.
The result is a process that takes hours rather than days, and that scales as your business grows and request volumes increase. More importantly, it gives you confidence that requests are handled consistently and that you have an audit trail if a regulator ever comes asking.