DSARs

What is a Data Subject Access Request (DSAR) — and what must you do when you receive one?

6 min read ·26 April 2026 ·By Trust Center

A Data Subject Access Request (DSAR) — also called a Subject Access Request (SAR) — is a formal request from an individual asking you to provide all the personal data your organisation holds about them. Under GDPR and UK GDPR, this is a legal right every individual has, and your obligation to respond is strict.

Who can submit a DSAR and about what

Any individual whose personal data you hold can submit a DSAR. This includes:

  • Current and former customers
  • Website visitors whose data you've collected via analytics, cookies, or forms
  • Current and former employees
  • Newsletter subscribers
  • Anyone who has interacted with your business and left any personal data behind

DSARs can cover any personal data you hold — in any system. That includes your CRM, email marketing platform, order history, customer service records, internal communications (emails, Slack messages), CCTV footage, and even handwritten notes if they contain the individual's personal information.

What you must provide in response

GDPR Article 15 defines what a DSAR response must include:

  • Confirmation of whether you process personal data relating to the individual
  • A copy of all personal data you hold about them
  • The purposes for which the data is processed
  • The categories of personal data concerned
  • The recipients or categories of recipient the data has been or will be disclosed to
  • Retention periods — how long you'll keep the data
  • Information about the individual's rights (erasure, rectification, objection)
  • The right to lodge a complaint with a supervisory authority
  • The source of the data if not collected directly from the individual
  • Information about any automated decision-making, including profiling

Your response deadline

You must respond within one calendar month (30 days) of receiving the request. The clock starts from the day you receive it — not the day you verify the identity, not the day you start gathering information. If the request is complex or you've received multiple requests from the same person, you can extend by a further two months — but you must notify the individual within the first month that you're extending and explain why.

The response must be provided free of charge. You can only charge a reasonable fee if the request is "manifestly unfounded or excessive" — for example, a third repeat request in a month for the same data.

Identity verification

Before responding, you should verify that the request is from who they say they are. This is especially important for requests involving sensitive data (medical information, financial records). You can ask for reasonable evidence of identity — a copy of an ID, confirmation of account details, or answers to security questions. You should not ask for more than is necessary or make verification deliberately burdensome.

What happens if you miss the deadline or get it wrong

Failing to respond to a DSAR within one month is one of the most common reasons the ICO receives complaints. The ICO's enforcement priority is ensuring individuals can exercise their rights. Penalties for non-compliance with DSAR obligations can reach £17.5 million or 4% of global annual turnover. More commonly, the ICO issues formal reprimands and requires action plans. Every reprimand is public.

The operational challenge for SMBs

For a small business, a DSAR creates a genuine operational challenge. Customer data is typically scattered across multiple platforms — a CRM, an email marketing tool, a payment processor, a helpdesk, an eCommerce platform, and potentially spreadsheets. Pulling all of that together within 30 days, while running your business, is hard without a process in place.

Many SMBs receive their first DSAR with no process at all. The result is either a missed deadline, an incomplete response, or significant disruption to the business while someone scrambles to gather the data.

How Trust Center handles DSAR intake

Trust Center includes a built-in DSAR intake form on your trust page, accessible to any visitor at trust.yourdomain.com. When an individual submits a DSAR:

  • The request is logged with a timestamp — your 30-day deadline is tracked from this moment
  • The individual receives an acknowledgement confirming receipt
  • Your team receives a notification with all the details submitted
  • The request status is tracked in your Trust Center dashboard

Trust Center handles the intake and tracking. Gathering the data across your systems and preparing the response is done by your team — that's the part that requires knowledge of your specific data landscape. But having a clear, timestamped record of every request, with deadline tracking, removes the risk of a request being missed or the deadline miscounted.

DSARs from employees

Employee DSARs are often more complex than customer DSARs, because employment data spans HR records, payroll, performance reviews, disciplinary records, and internal communications. They are also more likely to be contentious — employee DSARs often arise in the context of disputes or grievances. Having a clear process (and legal advice for complex cases) is particularly important in this context.

Preparing before you receive one

The best time to prepare for a DSAR is before one arrives. Map your data — know which systems hold personal data and who is responsible for accessing each one. Ensure you have a DSAR intake route (Trust Center's form) and that your team knows the 30-day obligation. A single practice run — going through the motions of a hypothetical DSAR — will reveal gaps in your process before they become a compliance failure.

Ready to simplify your compliance?

Trust Center manages your privacy policies, cookie consent, and DSARs — one platform, all your brands, always up to date.

Get early access →