Contact us Today!

Data Subject Access Request Management Tools and Procedures

Managing data subject access requests is one of the ongoing compliance issues from the General Data Protection Regulation (GDPR) that has caused problems for privacy professionals. If you need assistance with creating a DSAR program, call Clarip at 1-888-252-5653.

A recent survey of UK consumers found that more than 30% had already exercised one of their subject access rights in the first three months after the GDPR went into effect and over 50% plan to exercise their new rights in the next year. If other EU citizens are exercising their rights at a similar rate, then organizations holding consumer data could face a significant compliance burden.

Companies that are holding the personal data of consumers need to be prepared for the management of these requests through either a manual or automated procedure. There are complexities to both situations. Manual responses require excess capacity to handle high volumes of customer service and to gather the information or execute the internal procedure necessary to respond to the request. Automated responses require data mapping to determine all of the locations that personal information is stored in structured and unstructured data within the organization and the creation of software to gather all of the information (for access and export requests) or delete the data (for the right to delete).

Clarip can help companies overcome the problems with their data subject access request management through a combination of our DSAR portal, data mapping capabilities, privacy compliance experience, and custom software to automate the process. For a demo of our products, please call 1-888-252-5653.

What is a Data Subject Access Request?

Some privacy laws permit individuals to request a company or organization take certain actions with regard to the personal data or information which they have in their possession. The particular subject access requests may differ by jurisdiction as each regulator can impose their own access rights. However, the core rights from the GDPR are the right to access personal data in the company’s possession, the right to correct inaccurate information, the right to delete personal information and the right to export it.

Applicability: Limited (European Union and California) or Worldwide

The European Union is the primary jurisdiction for subject access requests at the moment. The right went into effect in Europe in May 2018 when the EU began enforcing GDPR. Companies that are based in Europe and holding individual’s personal data must give data subjects these rights. For those companies that must comply with the law but are not located in Europe, a number of them have extended the rights from GDPR to their customers and website users worldwide rather than give people separate rights based on their geographic location.

The California Consumer Privacy Act also contains subject access rights. The two primary requirements of the law for companies operating in California that are covered by the law are the right to access and delete personal information. The right to data portability is also contained within the right to access if the companies decides to send the individual’s information electronically rather than through the mail. These rights will go into effect in January 1, 2020.

As more jurisdictions decide to implement subject access rights, other companies are going to face the challenge of whether to limit these rights to the location where they are required or to give them to everyone. If compliance is automated, then giving the rights to everyone may be the easiest solution. However, if something goes wrong with the process, it has created an obligation that can be enforced under Section 5 of the FTC Act.

Authentication of the Individual

One of the biggest problems with data subject access requests is the need to validate that the individual is indeed the person that is entitled to the information. This can be accomplished through either identity access management or two factor authentication.

Agency Requests

As privacy laws develop, there are going to be ongoing challenges for businesses. This is certainly one of them. Rather than directly contact businesses, some individuals are outsourcing the process and authorizing organizations to get the information on their behalf. This is expressly permitted by the California Consumer Privacy Act in certain situations, subject to the regulations that are going to be developed by the CA Attorney General.

The Creation of Subject Access Request Forms

Many companies are handling subject access requests by email to the chief privacy officer or data protection officer. However, a better method to minimize the back and forth between company employees and users is the creation of a request form that gathers all of the necessary information from the data subject.

Applying the Exceptions

The bounds of the law permitting individuals to request their information are not unlimited. Individuals are generally limited to a certain number of requests. Organizations may also exclude certain information that they hold about an individual depending on the specifications and exceptions created by the law. For example, both the GDPR and California Consumer Privacy Act permit the retention of certain data necessary for the business despite a request of erasure if it meets one of the specified exceptions.

Delivery of Electronic Records and Data Portability

Privacy laws are increasingly calling for companies to provide data to consumers in a format that can be used to facilitate the transfer of the information to other companies. This is consistent with the idea that the data is owned by the individual rather than the company.

Automation of Deletion

The process of automatically deleting personal data (or personal information) contained in structured and unstructured data at the push of a button can be complex. It will require data mapping to identify all of the locations of an individual’s data as well as a custom software adapter to work with the organization’s internal systems.

Deletion and Backups

One of the hardest issues with the right to delete in GDPR is the problem of backups. Many businesses are taking a wait and see approach here to see how aggressively the law is enforced in this area. Other businesses are explaining their backup retention process to people and providing a timeline for the complete deletion of their information.

The Right to Correct

GDPR provides individuals the right to correct information that is wrong in the possession of the organization. However, there can be more complexity to it as it is not always possible for all parties to agree to the accuracy of every piece of information.


One of the potential problems with fulfilling subject access requests is that there is a lot of room for error. What happens if a piece of information is missed from an access request and it is later discovered? Or if it turns out that there was information that was not deleted following the completion of the exercise of the right to erasure, what process should be followed? Companies need to be verifying and auditing their responses so that they do not end up with a big mess years down the road.


Another important aspect of the subject access rights is documentation. Organizations need to be documenting the DSAR process for each individual so that they can adequately demonstrate compliance in response to any government requests via data protection authorities or other regulatory agencies. This includes all aspects of the process including any delays resulting in seeking more time to respond, the decision that the individual is not entitled to full access or deletion, and all communications with the individual from the start to the finish to demonstrate transparency and accurate disclosures of the rights.

Related Content

DSAR Software
Right of Access in CCPA
CCPA Right to Delete
Applying the 9 CCPA Exemptions to Deletion Requests
GDPR Right of Access Under Article 15
Right to Rectification (Correction) Under GDPR Article 16
GDPR Right to Erasure Under Article 17
Right to Data Portability under GDPR Article 20
Individual Rights Manager Software
Legal Obligation Exceptions to the CCPA Right to Delete
Internal Use Exceptions to the CCPA Right to Delete
Research Exception to the CCPA Right to Delete
Verifiable Consumer Requests in CCPA