How to Respond to a DSAR — Step by Step
A Subject Access Request (SAR / DSAR) requires you to provide a copy of the requester's personal data you hold, in a concise, transparent, intelligible, and easily accessible form. You normally have one month to respond (extendable in limited cases). The process is operational as much as legal: identity verification, data mapping, redaction, packaging, and secure delivery all need to work together.
1. Log and acknowledge the request
Record the date received — the clock starts from then. Confirm you have received the request and explain what you need next (e.g. proof of identity). If the request is unclear, you may ask the individual to specify the information they want, but you cannot use delay tactics. You should still progress what you can.
2. Verify identity proportionately
Ask for enough evidence to be sure you are disclosing data to the right person, without being excessive. For employees, existing HR checks may suffice. For unknown enquirers, you might request a copy of ID. Document what you accepted and store verification minimally.
3. Search across systems
Personal data may live in email, HRIS, ticketing systems, backups, and local drives. Your search should be reasonable and proportionate to the scope of the request. You are not obliged to conduct disproportionate effort, but regulators expect a genuine attempt across main systems. Note any areas you did not search and why.
4. Redact before you disclose
You must not disclose another person's personal data without a legal basis — so emails and documents mentioning colleagues, customers, or family usually need redaction. This is where most DSAR responses fail: one missed name can mean a breach. Use a consistent redaction process and review every page of PDFs and exports.
See our guide on what to redact. Ghost is designed with data minimisation in mind — see our security page for details.
5. Deliver and document
Send the response through a secure channel. Keep a record of what was provided, redaction decisions, and any exemptions relied on. If you refuse or limit the response, explain the reason and remind the individual of their right to complain to the supervisory authority.
Frequently asked questions
How long do I have to respond to a DSAR (Subject Access Request)?
Under UK GDPR / GDPR you normally have one calendar month from the date you receive the request. Extensions are possible in limited circumstances (for example complexity or multiple requests from the same person). Check current ICO or national guidance and your internal policy.
What if the DSAR is very broad?
You may ask the requester to narrow or clarify the scope, but you should still progress what you can and must not use clarification solely to delay. Document your approach and seek legal advice if the scope is unclear.
Must I search every IT system for a DSAR?
You should conduct a reasonable and proportionate search across systems likely to hold the requester's personal data. You are not required to do disproportionate work, but regulators expect a genuine effort across main business systems. Document what you searched and any proportionate limits.