Growth Marketing Glossary

Data Subject Access Request (DSAR)

D·S·A·Rnoun

The right to ask, with a clock attached — one request, every system in scope, and a deadline the law set before you read it.

data subjectrequestwhat do youhold on me?full answer,on deadlinethe right to ask - and the clock that starts when they do
Schematic — the request and the deadline
Term
DSAR
Grants
Access to one's personal data held
Deadlines
~30 days (GDPR), 45 (CCPA-family)
Scope
Every system, including marketing's

Forms & parts of speech

DSAR · noun
The access request.
"The DSAR took three weeks because nobody knew the ESP, the CDP, and the ad audiences all counted."

Definition in plain terms

A data subject access request (DSAR) is a person's formal demand to see the personal data an organization holds about them — what data, from where, used how, shared with whom. The right anchors GDPR (Article 15) and runs through the CCPA family, India's DPDPA, and most modern regimes, each with a statutory clock: roughly 30 days under GDPR, 45 under CCPA-style laws, extendable once with notice. The request is simple to make and revealing to receive — it audits, in one letter, whether an organization actually knows where its personal data lives.

The mechanics

The process has fixed anatomy: intake (a findable channel — privacy portal, dedicated address), identity verification proportionate to the data's sensitivity (over-verification is its own violation; under-verification leaks data to imposters), discovery across every system holding personal data, compilation into intelligible form with the metadata rights require (purposes, recipients, sources, retention), legal review for third-party data and exemptions, and delivery on deadline with records kept. The marketing stack is where discovery goes to die, because personal data sprawls exactly where this glossary's entries live: the ESP and its engagement logs, the CDP and CRM, loyalty systems, CUSTOMER-MATCH-style audience uploads, the DATA-LAYER's event streams in analytics, call recordings in CONVERSATION-INTELLIGENCE tools, survey platforms, and the suppression lists that must themselves be searched. A data map — which systems hold what, keyed by which identifiers — converts DSAR response from archaeology to lookup, and DSAR tooling (privacy-ops platforms with system connectors) industrializes it where volume justifies. Two operating truths: requests spike after breaches, PR events, and angry-customer moments (they are often grievances wearing a legal right — handle the grievance too); and the response is itself a privacy act, so sending one person's file to another via sloppy verification is the failure mode regulators remember.

When it matters

DSARs matter to every organization under modern privacy law — which is every organization with EU, UK, California, or Indian customers — and they matter operationally to marketing because marketing's tools hold most of the personal data and least of the documentation. The discipline is preparation: a current data map across the stack, an intake-verification-discovery workflow rehearsed before volume arrives, deletion and correction flows built alongside (the rights travel together), and the cultural one — a DSAR answered well is trust repaired; answered late or wrong, it is a regulator's easiest case.

Worked example. A subscription-retail brand receives its first DSAR wave after a breach notification - 240 requests in a month against a process that is one inbox and good intentions. The first response takes 19 days of archaeology across eleven systems and still misses the call recordings; the second arrives at the wrong customer's address, converting one request into one reportable incident. The rebuild treats DSARs as operations: a data map inventories every system holding personal data (the marketing stack contributes seven of fifteen), identity verification scales to sensitivity, a privacy-ops tool connects the big systems for automated discovery, and legal review templates the exemptions. Median response falls to six days; the deletion workflow built alongside handles the requests that follow access like night follows day. The audit's lasting gift is the map itself - the next ESP migration and the next audience-upload decision both consult it, because the company finally knows where its people's data lives.
Failure modes to watch. Discovery that misses the marketing stack's sprawl - audience uploads, event streams, call recordings, suppression lists; verification so loose it mails one person's file to another, or so strict it violates the right itself; deadlines tracked nowhere until they pass; access built without the deletion and correction flows that always follow; and treating the grievance inside the request as someone else's department.

Synonyms & antonyms

Synonyms

DSARsubject access requestdata access request

Antonyms

data deletion request (sibling right)unverified disclosure

Origin & history

The access right predates the acronym — European data-protection law carried it from the 1995 Directive — but GDPR's 2018 arrival, penalty schedule, and one-month clock made DSAR an operational discipline, and the CCPA family plus privacy-ops tooling turned it into standing infrastructure.

Etymology: source.

Usage trends

Search interest for this term over the last five years:

View interest-over-time on Google Trends →

Common questions

What is a DSAR?
A person's formal request to access the personal data an organization holds on them — data, sources, purposes, recipients — anchored in GDPR Article 15 and echoed across the CCPA family and newer regimes.
What are the DSAR deadlines?
Roughly 30 days under GDPR and 45 under CCPA-style laws, extendable once with notice — the clock starts at receipt, not at readiness.
Why are DSARs hard for marketing teams?
Personal data sprawls across the marketing stack — ESPs, CDPs, audience uploads, analytics events, call recordings — and discovery without a data map is archaeology on a statutory deadline.

Related tools & calculators

Resources & people to follow

Curated, non-competitor resources verified per term.

Related training

Disciplines

Areas of marketing where data subject access request (dsar) is a core concern:

Sources

  1. trendsGoogle Trends — "data subject access request"