Data Subject Access Request (DSAR)
Individual's right to obtain confirmation of whether their personal data is being processed and access to that data
A Data Subject Access Request (DSAR), also known as the "Right to Access," is a fundamental privacy right enabling individuals to request that organizations disclose the personal data they hold, the purposes for processing, and the recipients of that data. Under GDPR Article 15, data controllers must provide a copy of personal data undergoing processing, along with information about processing purposes, categories of data, recipients, retention periods, and the source of data if not collected directly.
While conceptually simple, DSAR fulfillment is operationally onerous. Industry research indicates an average cost of approximately 28,000. High volumes of requests can paralyze privacy teams, turning a compliance duty into a significant operational burden. UK businesses report spending £70,000 to £330,000 annually on DSAR fulfillment.
Response deadlines vary by jurisdiction, creating a complex compliance matrix for multinational companies. GDPR requires response within one month, extendable by two months for complex requests. CCPA allows 45 days with a potential 45-day extension. Brazil's LGPD imposes an extremely tight 15-day deadline with no extension. Canada's PIPEDA requires 30 days.
The verification paradox presents a significant challenge. To fulfill a request safely, companies must verify the requester is the data owner—which often requires collecting additional sensitive data (government IDs, selfies), ironically increasing the company's toxic data footprint. Mishandling verification data can lead to separate violations.
Large Language Models create a new category of DSAR difficulty. Personal data used to train models may be "memorized" in weights but is not easily retrievable via query. There is no standard technical method to "query" an LLM for all data it holds on a specific individual without hallucinations. This creates a fundamental compliance gap: organizations may be legally obligated to fulfill access requests they cannot technically satisfy.
In M&A due diligence, the DSAR log serves as a "smoke detector" for data governance health. Zero requests may indicate dark patterns hiding the request mechanism. High backlogs signal operational failure and hidden liability (volume × average cost). Fast resolution indicates automated data governance and healthy compliance posture. Enforcement actions have targeted DSAR failures: British Airways faced £20 million in fines partly for poor DSAR handling, while Sephora's $1.2 million settlement addressed failure to honor Global Privacy Control as a valid request method.