GDPR and CCPA: What You Need to Know About Data Subject Access Requests

Written by Stephen Ragan, Principal Privacy Consultant at Wrangu

Data subject access requests (DSAR) are one of the rights given to individuals under the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). With DSARs, these two landmark pieces of legislation give data subjects the right to manage the personal data collected on them.

GDPR protects individuals within the EU and applies to organisations outside of the EU that target individuals in the EU for marketing or sales purposes. GDPR gives data subjects specific rights to their personal data including the right to request copies of their data, the right to correct mistakes, the right to restrict processing of data or request deletion, and the data must be portable.

CCPA provides similar privacy rights to California consumers including the right to access, correct, delete, and receive their personal information. CCPA includes other provisions as well such as the right to say no to the sale of personal data and the right to know the categories of third parties with whom data is shared.

Under both laws, organisations are obligated to promptly consider each DSAR and provide a response either taken the requested action or providing an explanation why the DSAR cannot be satisfied. While this might sound like a burden, complying with these rights need not be onerous or difficult.

What is a Data Subject Access Request (DSAR)?

A DSAR is a request by an individual about the data an organisation collects and stores on them. Under GDPR, requests can be submitted at any time and there need not be a reason for the request. Anyone an organisation collects data on may submit a request, and this group is not limited to customers or users. Employees, contractors, sales prospects, and job candidates are just a few additional categories to keep in mind. In some cases, an individual may even submit a DSAR on behalf of another person.

When an organisation responds to a DSAR it is the organisation’s responsibility to verify the identity of the person making the request and supporting evidence to verify an identity may be requested.

When an organisation receives a DSAR it is obligated to respond “without undue delay.” This has been interpreted to mean within a month of the request. This deadline can be extended if the request is complex. However, failure to respond within 40 days opens organisations to the possibility of fines and penalties.

What Must be Included in a DSAR?

The relevant provision under the GDPR is Article 15 “Right of access by the data subject” that states:

The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a) the purpose of the processing;

(b) the categories of personal data concerned;

(c) the recipients of the personal data;

(d) where possible, the period for which the personal data will be stored;

(e) the right to request correction or erasure of the data;

(f) the right to lodge a complaint with the supervisory authority;

(g) the sources of the data if not collected directly from the data subject; and

(h) the existence of automated decision-making.

Under Section 3 of the CCPA the relevant language states that:

  • A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:
  • The categories of personal information it has collected about that consumer.
  • The categories of sources from which the personal information is collected.
  • The business or commercial purpose for collecting and selling personal information.
  • The categories of third parties with whom the business shares personal information.
  • The specific pieces of personal information it has collected about that consumer.

What is the Process for Handling a DSAR?

This is the issue that has given organisations a headache because there is no single way to respond to DSARs. Organisations have many options and they can take requests in person, over the phone, or through a website. However, it is best practice to record a copy of the request including the date for auditing purposes.

In addition, per Recital 63 of the GDPR: “where possible, the organisation should provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.”

Here are Some Steps for Handling DSARs:

Step 1: Verify the Individual’s Identity Making the Request

This allows an organisation to determine whether to provide access as well as determine whether they have any information on the individual making the request.

Step 2: Clarify the Nature of the Request

In some cases, data subjects may only want to see the data an organisation has collected on them. In other cases, they may request the correction of inaccurate data or to have data deleted. Clarifying the nature of the request will allow an organisation the opportunity to determine if they can fulfill the request within the one-month timeframe.

Step 3: Review and Approve the Data. Make sure you do not include anyone else’s personal information!

Step 4: Safely Deliver the Customer Information


What makes responding to DSAR’s so challenging is finding all the personal information you collect on a data subject. Often data is scattered throughout an organisation and you must spend time combing through your system, servers, and databases. Not only must you find all the data on an individual, but you must also, when requested; remove, redact, or correct data.

Responding to DSARs requires a careful understanding of what personal information you collect, where it is located, and why it is being processed. See how much money, time, and headaches you can save using Wrangu’s ROI Calculator.

Join your peers and get the latest GRC, Privacy, Security and Regulatory updates delivered straight to your inbox

Read more about our tailor-made software for data privacy and integrated risk management

Relevant news & insights: