General Data Protection Regulation (GDPR)

The European Union’s General Data Protection Regulation (GDPR), put into effect in May 2018, was the first comprehensive and extensive data protection and privacy legislation of its kind. It is so all-encompassing and of such sheer magnitude and importance that it has significantly impacted the way data privacy is approached internationally. Numerous data protection acts use the GDPR as a model for how to structure themselves, such as California’s CCPA and Connecticut’s CTDPA.

The GDPR was created to give individuals back the right to assert control over their own data. One of its important sub-categories is a section on the right of access. This allows individuals to retrieve information about the data an organization holds about them, why that entity has that data, how it is used, and other information relating to it.

With the GDPR, the right to access data was expanded upon ​​with new mandatory information that organizations must provide to individuals upon request. It also made it easier for individuals to submit their requests, access their data, and get information.

Understanding DSAR

Before we go into discussing what a DSAR is, we must first understand what a DSR is. A DSR (Data Subject Request) is the process of requesting personal data from a company and includes the individual’s desire to access, modify, or expunge the data that the organization contains. These requests are becoming more common due to legislation such as the GDPR, California Consumer Privacy Act (CCPA), and The Connecticut Data Privacy Act (CTDPA), among others. Firms must adhere to strict guidelines for honoring data subject requests or face fines and other severe consequences.


Thus, a DSAR (Data Subject Access Request) is a specific type of DSR. Under a DSAR, an individual requests access to all the personal data that an organization has processed about them. The individual is further allowed to regularly maintain access to the information the organization retains to verify the lawfulness of the processing.

In addition to giving access to this data, companies must also inform the requester how they use the individual’s personal data. For example, the data subject may request the purpose of processing their data, who their data will be shared with, and how long the company will store it. This personal data might include details such as an individual’s name, address, or email address. If an individual is not satisfied with how a company has responded to a DSAR in the USA, they are free to make a complaint to the Federal Communications Commission (FCC), where individuals can submit consumer complaints.

Additionally, after a DSAR is submitted and your company complies with the request, an individual might decide that they dislike the amount of information you have on file about them. When looking over the data that you maintain on said individual, they may not agree with what you are using that data for, or even what conclusions you’ve made about them based on their data. In this event, that individual might decide to move forward with an ultimate opt-out.


What Happens When You Get the Ultimate Opt-Out?

  • Group-59


The term opt-out is routinely used to describe unsubscribing or leaving membership from an online group, website, blog, and the like. It is typically used by email marketers to remove users from mailing and subscription lists. So that they don’t receive further emails or messages from the company or list they were previously on.

  • Group-62

    From manual to automation

Your business should have a centralized location for all email suppression data. Here, your internal teams can store and share opt-out lists easily. That way, you will have uniform procedures on how to go about categorizing opt-out members.

  • Group-63

    Email data comparison

Furthermore, this makes sharing and comparing up-to-date data lists with third parties easier. Likewise, an email data comparison tool offers further support by allowing you to analyze your various lists and compare the data. This eliminates duplicates and compiles it all into one up-to-date and easily shareable list with your clients.

How DSARs Are Submitted

As of now, there is no required uniform way that data subject access requests must be submitted in the United States. DSARs can be submitted verbally (in person or via telephone) and by writing (through email, letter, online chat, social media, etc.).

It is essential for your company to recognize all DSARs and to have clear instructions on how your customers can send one, both to make it easier for them to contact you and show to CCPA, the various acts, that you are maintaining accountability and also to standardize the methods that the DSARs will be received.

For example, if you have a toll-free number that individuals can call to submit their data subject access requests or state on your website’s FAQ that all customers can contact support via email, you will have most of your DSARs coming in through phone or email, with perhaps the odd request coming through from elsewhere. However, when you don’t have clear options available for your customers, they will probably choose what is easiest for them when submitting their DSAR. This will make bookkeeping and keeping track of all requests unnecessarily complicated for your company and take up more of your time.

Get Ahead of Your Organization’s Compliance

Download our free compliance handbook to understand why companies are getting fined thousands of dollars and see how you can start improving your company’s email compliance.

Responding to Data Subject Access Requests

Before completing a data subject access request, your company must register the request, and then log the request into a record tracking system that can verify the user. Keeping paperwork of the submissions will help build your accountability and authenticate the user as someone on your data lists so you can save time before you go into working on their DSAR fulfillment.







Additionally, when you are pulling out personal data for the report, it helps if your data organization system is easy to understand and very clear on where all of the personal information is stored. Centralizing your data will help keep the time down for how long it takes to answer and complete data requests since managing deadlines is crucial to fulfilling DSARs. Furthermore, having an organized system will help you from missing critical data on your reports or erasing them in the event of opt-outs.

When it comes to what you should include in a DSAR response, you should always have confirmation that the requestor’s personal data has been processed at the beginning. You should also include the details about the access of the data, clearly state the legality of processing the data, mention the criteria used when you collect personal information and store it, all relevant information about how their data has been acquired, pertinent information about how the data was automatically profiled or categorized, and lastly, all of the third parties this data was shared with.

Once your response is complete, you must review it before ever sending it out to the recipient. This is necessary for several reasons. Firstly, you want to make sure it meets DSAR requirements and, secondly, you do not want to have the personal information of any other individuals on that report except for the requester. If by any chance you give this data to the wrong person or give someone else’s data to the requester, the damages can be catastrophic since your data records might include very private information such as passwords, addresses, or payment information.

When you deliver this personal data report to the individual, you will want to send it in a way where the information is encrypted. It is very costly for you as a business owner every time there is a data breach. The fines for breaches have been going up exponentially every year since lawmakers want organizations to take the seriousness of protecting consumers’ data with the utmost severity.

Summarizing the DSAR Compliance Process

All Data Subject Access Requests can be broken down into a fairly simple process that follows the same steps every single time and thus are relatively straightforward to automate with the help of companies such as OneTrust and Ketch which have many data mapping and consolidation tools available. These companies make it easy to extricate the subject’s data from various sources and gather them all in one place.

When you receive a DSAR from a
subject you will want to:

File Text

Identify and centralize the
subject’s data


Clarify the nature
of the request


Review the data that
you have compiled


Collect and package that
data in an easily
understandable format


Ensure that you are
informing the subject of
their rights in the report


Sending the requested
data to the subject in
an encrypted file

After the subject receives the data, you will want to wait for further communication from them to see what additional steps you should take.

How UnsubCentral Helps After the DSAR


At this point, you’ve received a DSAR request, taken all the necessary measures to respond to said request, and gotten an ultimate opt-out from an individual, but now what? Well, data deletion isn’t the answer at this point. Per the letter of the law, these individuals would become unsubscribes. This means that rather than not having any record of them at all, you would apply a unique identifier to their record, signifying them as “unmarketable” or a non-marketable person. This signifier is crucial as it must be honored throughout your entire marketing and sales ecosystem.

That’s where UnsubCentral comes in with our scrubbing and data comparison tools. We take the headache out of managing multiple lists on multiple platforms by providing a centralized location where all your email suppression data and opt-out individuals exist, ensuring that your employees have a place to share and uniformly categorize opt-out members. This also guarantees that those opt-out members do not receive any type of marketing or sales communication by mistake.

Frequently Asked Questions

What are examples of Data Subject Access Requests (DSAR)?

Data Subject Access Requests (DSARs) can vary depending on the context and the specific information a person wants to access.

Here are a few examples illustrating different scenarios where DSARs might be used:

  1. Customer Data in Retail — A customer submits a DSAR to an online retailer to request all personal data related to their account. That could include purchase history, stored payment methods, and any recorded customer service interactions.

  2. Employment Records — An employee submits a DSAR to an employer asking for all emails and documents that mention them by name. They might do this to understand how their performance is being documented and any discussions about their career progression.

  3. Credit History — An individual submits a DSAR to a credit reporting agency to receive all the personal data the agency holds about them. Stored data they can request include things like their credit scores, decision logs, and sources of the information that influenced their credit ratings.


Why is DSAR important?

Data subject access rights should be protected at all times. Why? These are some reasons why companies should prioritize DSAR compliance::

  1. Enhancing Personal Privacy: DSARs give individuals the power to know exactly what personal data is held about them by an organization. This transparency is key to protecting privacy and is a fundamental right under data protection regulations like the GDPR.

  2. Control Over Personal Information: Individuals can exercise control over their personal data when filing a DSAR. They can verify the accuracy of the data, understand data processing, and see who it is being shared with. This control is essential for allowing individuals to manage their privacy and security.

  3. Compliance with Legal Obligations: For organizations, DSARs are important because responding to them is a legal requirement under various data protection laws. Proper handling of DSARs demonstrates compliance with these data privacy laws, which can help avoid significant fines and legal penalties.

  4. Building Trust: When organizations respond promptly and transparently to DSARs, it builds trust with their customers, employees, and users. This can enhance the reputation of the organization, showing that it respects the privacy and rights of individuals.


Can You Charge a Fee for a DSAR?

Organizations are not allowed to charge a fee for a DSAR. But in some cases, you can charge a reasonable fee for administrative costs. However, this can only apply to multiple or excessive requests to prevent an individual from repeatedly submitting unnecessary DSAR.


What is the role of a Data Protection Officer (DPO)?

Per the European Data Protection Supervisor, a DPO should make sure their organization processes personal data from employees, customers, providers, or other data subjects in compliance with all data privacy regulations and mandates.

Ready to Get

Request a demo with our team to see how our customizable solutions can generate more revenue from your outbound marketing efforts.

Mask Group Round