Data subject access requests (DSARs) in 2026: the complete guide

Between 2023 and 2024 DSAR volumes registered a staggering 43% increase.

Last year 36% of internet users worldwide exercised their data subject access rights, a significant increase from the 24% recorded back in 2022.

What all this goes to prove is that if your organisation is not yet set up to handle this, the question is not if you will receive a request you cannot manage. It is when.

This guide covers everything you need to know about data subject access requests (DSARs) in 2026: what they are, who can submit one, how to respond within legal deadlines, and how to manage a growing volume without losing control.

What is a data subject access request (DSAR)?

A data subject access request (DSAR) is a formal request submitted by an individual to an organisation asking for access to the personal data held about them. Under GDPR Article 15, individuals have the right to know what personal data is collected, why it is processed, who it is shared with, and how long it will be retained. Similar rights exist under the CCPA, LGPD, and more than 20 US state privacy laws.

DSARs are sometimes used loosely to refer to all data subject requests, but strictly speaking, they refer to the right of access only. The broader term, data subject request (DSR), covers all types, including deletion, correction, or opt-out.

As of 2026, data protection complaints are forecast to reach as high as 55,000 in some jurisdictions as AI-driven processing increases scrutiny of how organisations handle personal data.

DSAR vs DSR: what is the difference?

The distinction matters for how you categorise and route incoming requests. Here is a quick comparison:

DSARs are a subset of DSRs. When an individual asks to see what data you hold, that is a DSAR. When they ask you to delete, correct, or stop selling their data, those are other types of DSR.

What are data subject rights?

Data subject rights are legal rights granted to individuals under data protection laws, giving them control over how organisations collect, use, and store their personal data. The GDPR provides the most comprehensive set of these rights, and most other privacy laws have modelled their frameworks on it.

Under GDPR, the core data subject rights are:

• Right of access (the DSAR): request a copy of personal data held about them
• Right to rectification: request correction of inaccurate data
• Right to erasure: request deletion of personal data (right to be forgotten)
• Right to restrict processing: ask for processing to stop while a dispute is resolved
• Right to data portability: receive data in a portable, machine-readable format
• Right to object: object to processing for marketing or research purposes
• Rights related to automated decision-making: challenge decisions made solely by automated processes

Under CCPA/CPRA, California residents have the right to know, delete, correct, and opt out of the sale or sharing of their personal data. As more US states pass their own laws, organisations need to track which rights apply in each jurisdiction.

Who can submit a DSAR?

Any individual whose personal data you hold can submit a DSAR, provided a data protection law applies to their situation. This includes customers, website visitors, job applicants, and employees.

Most major regulations, including GDPR and CCPA, require organisations to respond to employee DSARs just as they would to consumer requests. Employee DSARs carry additional sensitivity because organisations tend to hold more extensive data, and the request is often tied to an employment dispute.

A request can also be submitted by an authorised representative on behalf of the data subject, such as:

• A parent or guardian submitting on behalf of a minor
• A court-appointed official managing someone's affairs
• An agent authorised in writing by the data subject

If a request comes from a representative rather than the data subject directly, you may ask for evidence of the relationship before processing the request.

DSAR response times by regulation

Response deadlines are one of the most common sources of regulatory penalties. Here is a summary of the key timelines across major privacy laws:

Always confirm the exact deadline under the specific regulation that applies to your business and the data subject's location. This table reflects the general position at the time of publication.

How to respond to a DSAR: step-by-step

The DSAR response process follows a consistent structure across most jurisdictions. Getting these steps right will cover the vast majority of requests your organisation receives.

1. Acknowledge the request. Confirm receipt as soon as possible, ideally within 72 hours. This starts the legal clock and sets expectations with the data subject. Many regulations require a written acknowledgment.

2. Verify the requester's identity. Before releasing any personal data, confirm the requester is who they say they are. Sending data to the wrong person is itself a data breach. Use a secure verification method, not just a reply email.

3. Clarify the scope of the request. Determine exactly what the data subject is asking for. Requests can range from a general 'show me everything' to a specific category of data. Seeking clarification early prevents scope creep.

4. Search for and gather the data. Locate all relevant personal data across your systems, databases, and third-party tools. This is often the most time-consuming step, particularly when data is scattered across legacy systems or dozens of cloud applications.

5. Review for third-party data and exemptions. Before sending the response, review the data for any third-party personal data that should be redacted, and check whether any legal exemptions apply (such as legal privilege or commercial confidentiality).

6. Communicate any delays. If you need an extension, notify the data subject before the original deadline expires, explain why, and give an estimated completion date. You can only extend once, within the legally permitted limit.

7. Send the response. Provide the data in a clear, commonly used electronic format. Include a summary of the data subject's rights and their right to complain to a supervisory authority.

8. Document the entire process. Keep a timestamped record of every step, from receipt to resolution. This is your evidence of compliance if a regulator asks.

What information must you include in a DSAR response?

A DSAR response for a right-of-access request must include the following elements:

• Confirmation that you are processing the data subject's personal data (or that you are not)
• A copy of the personal data held about them
• The purpose of the processing
• The categories of personal data involved
• Any third parties to whom the data has been disclosed
• The retention period, or the criteria used to determine it
• The source of the data, if not collected directly from the data subject
• Details of automated decision-making or profiling, if applicable

You are not required to provide everything in your records. You only need to include personal data, not internal notes or memos that reference the subject. Redact any personal data belonging to third parties before sending.

Can you refuse to respond to a DSAR?

Yes, but only in limited circumstances. Most regulations allow refusal when a request is considered manifestly unfounded or manifestly excessive.

Manifestly unfounded: the request has no genuine privacy purpose. For example, the individual is using it to harass the organisation rather than to exercise a legitimate right.

Manifestly excessive: the request is repetitive and clearly overlaps with a very recent, substantially identical request.

Be cautious with these exceptions. They are narrow and regulators interpret them strictly. If you refuse, you must inform the data subject within the standard response deadline and explain your reasoning clearly. Each request must be considered individually. Blanket policies that set criteria for 'acceptable' requests are not permitted under GDPR.

What happens if you don't respond to a DSAR?

Ignoring a DSAR is one of the most common triggers for regulatory fines and supervisory investigations.

The financial exposure is significant:

• GDPR: fines for data subject rights violations can reach 20 million euros or 4% of annual global turnover, whichever is higher
• CCPA: up to $7,500 per intentional violation, meaning a batch of unanswered requests can add up quickly
• UK GDPR: up to 17.5 million GBP or 4% of global turnover

Since GDPR was introduced in 2018, cumulative fines across Europe have exceeded 7.1 billion euros in total, with Ireland's Data Protection Commission alone issuing over 4 billion euros in aggregate fines.

Beyond financial penalties, organisations that fail to respond face complaints to supervisory authorities, reputational damage, and heightened regulatory scrutiny in future audits.

The three most common failure points are:

• No intake channel where data subjects can actually submit requests
• Missing the legal response deadline, even when a response is eventually sent
• Using email and spreadsheets that are not timestamped, scalable, or auditable

Managing DSAR volume in 2026

DSAR volume is growing at a rate that manual processes cannot keep up with. CCPA-related requests grew 246% from 2021 to 2024. GDPR requests grew 222% over the same period. UK compliance teams now spend between 70,000 and 330,000 GBP annually on DSAR compliance, with the average cost per request estimated at 1,200 GBP.

Manual processing costs are even higher in the US. The average cost per manually processed DSAR request is $1,524, and large organisations facing thousands of requests a year can hit $1.8 million in annual manual processing costs.

The four biggest time sinks in DSAR processing are:

• Data discovery: finding where personal data actually lives across dozens of systems. IT administrators estimate 30 to 40 cloud applications when the average enterprise uses more than 1,000
• Identity verification: confirming the requester is who they claim to be, securely and consistently
• Response drafting: writing compliant, consistent responses under time pressure and across multiple regulations
• Documentation: maintaining an audit-ready record of every request, communication, and action

Clym's data subject request management solution handles the full workflow from submission to resolution. Requests come in through the Governance Portal, get routed to the right team with pre-configured templates for each jurisdiction, and every action is timestamped in an audit-ready record. Whether your organisation handles 10 requests a month or 10,000, the process stays consistent.

DSAR templates and intake forms

A DSAR template is a standardized form that allows data subjects to submit requests clearly and consistently. Having a proper intake process reduces back-and-forth, speeds up identity verification, and creates a clean record from the start.

A good DSAR intake form should collect:

• The data subject's full name and contact details
• A way to verify their identity
• The nature of the request: access, deletion, correction, opt-out, or other
• Any specific data or data category they are asking about
• Confirmation of their relationship to your organisation

Clym's Governance Portal provides a ready-to-use request form that collects the right fields for each jurisdiction and feeds requests directly into a managed compliance workflow. You can also add requests manually if they arrive by email, phone, or post, keeping all DSRs in one place regardless of channel.

Who should handle DSARs in your organisation?

Most organisations assign DSAR handling to a Data Protection Officer (DPO) or a designated privacy lead. Not all laws require a DPO, but most recommend having a named person responsible for data subject request management.

That person does not need to personally complete every response, but they should:

• Oversee the process and ensure responses go out within the legal deadline
• Review complex or sensitive requests before they are sent
• Maintain internal policy and response templates
• Document the process so that any team member can follow it

For larger organisations, DSAR handling typically involves legal, IT, customer service, and data governance teams. Coordinating this without a structured workflow tool leads to missed deadlines and inconsistent responses. This is where a platform with built-in task routing and deadline tracking becomes essential.

How Clym helps with data subject request management

Managing data subject requests manually is not scalable. As privacy awareness grows and more regulations come into force, organisations need a system that can handle volume, maintain accuracy, and produce audit-ready records without adding headcount.

Clym's data subject request management solution supports:

• Multi-channel request intake: requests submitted through the Governance Portal or added manually via the Control Center when they arrive through other channels

• Jurisdiction-specific templates: pre-configured response templates for GDPR, CCPA/CPRA, LGPD, and more, shown only for the relevant regulation

• Identity verification workflow: built-in steps to confirm the requester's identity before any data is shared

• Deadline tracking and reminders: automated alerts as the response deadline approaches, so nothing slips through

• Audit-ready documentation: a complete, timestamped record of every communication and action taken on each request

Clym's ReadyCompliance^® feature pre-configures your settings for 150+ global regulations, so you are not starting from scratch each time a new law comes into effect. If you also need a consent management solution or a way to manage privacy and cookie policies alongside your DSAR workflow, Clym handles everything in one platform.

Conclusion

DSAR volume is growing in every direction. More US states are passing privacy laws. More consumers know their rights. And regulators are increasingly willing to issue fines for non-compliance.

The fundamentals of a good DSAR process are consistent across nearly every regulation: verify identity, gather data, respond in time, and document everything. Getting those four things right will handle the vast majority of requests your organisation receives.

Where organisations run into problems is volume and complexity. If you are still processing requests by email and spreadsheet, you are taking on unnecessary risk as request numbers climb. A structured workflow tool does not just save time. It creates the audit trail that protects you when a regulator asks for evidence.

The good news is that setting up a compliant, scalable process is more straightforward than it sounds. Start with a proper intake form, assign clear ownership, and use a tool that tracks deadlines automatically. From there, you build.