The DSAR Handling module in Secure Privacy's Governance Solution manages the full lifecycle of Data Subject Access Requests — from intake and identity verification through to response delivery and audit logging. It helps your organization meet the legal response timeframes required by GDPR (30 days), CCPA (45 days), and other applicable privacy regulations, while maintaining a complete, defensible audit record of every action taken.
Who Is This For?
Privacy officers overseeing DSAR response processes and ensuring regulatory deadline compliance
Legal teams ensuring timely, compliant responses to all data subject rights requests
Support staff handling incoming data requests and coordinating the response workflow across departments
Accessing DSAR Handling
From the left sidebar in the Governance Solution, navigate to Compliance > DSARs. The main view displays all requests in a filterable table with real-time status indicators and deadline tracking.
Creating and Processing a DSAR
Step 1: Click + Add Request
Click + Add Request in the top-right corner to log a new data subject rights request.
Step 2: Fill in request details
Complete the following fields to fully document the incoming request:
Field |
Description |
Example |
|---|---|---|
Subject |
Email address or identifier of the data subject submitting the request |
|
Request Type |
The specific data subject right being exercised |
Access Request, Erasure, Rectification, Portability |
Status |
Current handling status of the request |
Pending, In Progress, Completed |
Due Date |
Response deadline — automatically calculated based on the applicable regulation and receipt date |
2025-06-22 |
Related Processes |
Link to relevant data processing activities in the Process Register |
Customer Data Processing |
Assignees |
Team members responsible for handling and responding to the request |
|
Response Time |
Legal response timeframe for the applicable regulation |
30 days (GDPR), 45 days (CCPA) |
Step 3: Process the request
Work through the request by gathering the required personal data, verifying the data subject's identity, and preparing the response. Update the status field as work progresses to keep the record current and all assignees informed.
GDPR DSAR Deadline Tracking
The platform automatically calculates and tracks the response deadline for each request based on receipt date and applicable regulation. A visual progress bar shows how much time remains, with color-coded indicators providing at-a-glance urgency signals:
Green — Plenty of time remaining; request is on track
Yellow — Deadline approaching with less than 50% of response time remaining
Red — Deadline imminent or overdue; immediate action required
DSAR Secure Data Handling
The DSAR module applies enterprise-grade security controls to all personal data handled during the request process:
Files and attachments are encrypted at rest and in transit using AES-256 and TLS 1.2+
Access to request records and attached data is restricted to assigned team members only
All data access events are logged automatically for audit purposes
Completed response packages can be securely shared with the data subject when ready
Custom DSAR Intake Controls
Customize your DSAR intake form with custom fields to collect the specific information your organization needs to process requests efficiently. See the dedicated DSAR Custom Controls article for step-by-step configuration instructions.
DSAR Audit Trail for Regulatory Accountability
Every action related to a DSAR record is automatically logged — including creation, status changes, communications, file uploads, assignee changes, and completion. This provides a complete, timestamped, defensible record of your response process for supervisory authority review under GDPR Article 5(2) and Article 12 accountability requirements.
DSAR Performance Reporting
The DSAR Performance report in the Reporting & Analytics module provides operational insights into your DSAR program:
Average response times across all request types
Completion rates broken down by request type
Trending request volumes over time — identifying seasonal patterns or spikes
Overdue request analysis — highlighting systemic process issues requiring intervention
DSAR Handling Best Practices
Verify identity before processing any request
GDPR Article 12 allows organizations to request additional information to confirm a data subject's identity where there is reasonable doubt. Always document the verification method and outcome before sharing any personal data in a response.
Assign DSARs to specific team members immediately on receipt
Unassigned requests are the most common cause of missed DSAR deadlines. Log and assign every incoming request on the day it is received — ensuring accountability is established from the outset and the deadline clock is visible to the responsible team member.
Use deadline tracking to monitor all open requests
Review the DSAR register regularly and prioritize any requests showing yellow or red deadline indicators. Do not wait for automated reminders alone — an active weekly review prevents deadline breaches caused by unexpected complexity or delays.
Maintain detailed notes throughout the response process
Document every decision made during the DSAR response — including data searches conducted, exemptions considered, and the rationale for any refusals. Detailed notes create the audit-ready record needed to defend your response process to a supervisory authority.
Review DSAR performance metrics monthly
Use the DSAR Performance report to identify trends in response times, request volumes, and overdue rates. Monthly reviews allow compliance teams to spot process bottlenecks and implement improvements before they become systemic compliance failures.
Next Steps
Configure your DSAR intake form using DSAR Custom Controls to collect the information specific to your organization's request types
Monitor DSAR response times and completion rates through Reporting & Analytics
Set DSAR deadline reminders in the Compliance Calendar for proactive deadline management
Frequently Asked Questions
Does the module support CCPA requests as well as GDPR DSARs?
Yes. The DSAR Handling module supports requests under multiple privacy regulations — including GDPR (30-day response requirement) and CCPA (45-day response requirement). The applicable response timeframe is automatically calculated based on the regulation selected when the request is logged.
What happens if a DSAR response deadline is missed?
Failing to respond within the legal timeframe is a direct regulatory breach — under GDPR, this can trigger supervisory authority complaints and enforcement action. The platform's red deadline indicator and automated reminders are designed to prevent this, but if a deadline is missed, document the reason immediately and issue the response as quickly as possible with a written explanation to the data subject as required under GDPR Article 12(3).
Can DSARs be linked to specific processing activities in the Process Register?
Yes. The Related Processes field allows each DSAR to be linked to the relevant data processing activities documented in the Process Register — creating end-to-end traceability from the data subject's request to the processing activity that generated their personal data.