---
title: Data Subject Access Request DSAR — RGM® Glossary
url: https://realgrowthmatters.com/glossary/dsar-data-subject-access-request/
updated: 2026-06-10
source_html: https://realgrowthmatters.com/glossary/dsar-data-subject-access-request/
---

# Data Subject Access Request (DSAR)

D·S·A·Rnoun

The right to ask, with a clock attached — one request, every system in scope, and a deadline the law set before you read it.

Term
:   DSAR

Grants
:   Access to one's personal data held

Deadlines
:   ~30 days (GDPR), 45 (CCPA-family)

Scope
:   Every system, including marketing's

## Forms & parts of speech

DSAR · noun

The access request.

"The **DSAR** took three weeks because nobody knew the ESP, the CDP, and the ad audiences all counted."

## Definition in plain terms

A data subject access request (DSAR) is a person's formal demand to see the personal data an organization holds about them — what data, from where, used how, shared with whom. The right anchors GDPR (Article 15) and runs through the CCPA family, India's DPDPA, and most modern regimes, each with a statutory clock: roughly 30 days under GDPR, 45 under CCPA-style laws, extendable once with notice. The request is simple to make and revealing to receive — it audits, in one letter, whether an organization actually knows where its personal data lives.

## The mechanics

The process has fixed anatomy: intake (a findable channel — privacy portal, dedicated address), identity verification proportionate to the data's sensitivity (over-verification is its own violation; under-verification leaks data to imposters), discovery across every system holding personal data, compilation into intelligible form with the metadata rights require (purposes, recipients, sources, retention), legal review for third-party data and exemptions, and delivery on deadline with records kept. The marketing stack is where discovery goes to die, because personal data sprawls exactly where this glossary's entries live: the ESP and its engagement logs, the CDP and CRM, loyalty systems, CUSTOMER-MATCH-style audience uploads, the DATA-LAYER's event streams in analytics, call recordings in CONVERSATION-INTELLIGENCE tools, survey platforms, and the suppression lists that must themselves be searched. A data map — which systems hold what, keyed by which identifiers — converts DSAR response from archaeology to lookup, and DSAR tooling (privacy-ops platforms with system connectors) industrializes it where volume justifies. Two operating truths: requests spike after breaches, PR events, and angry-customer moments (they are often grievances wearing a legal right — handle the grievance too); and the response is itself a privacy act, so sending one person's file to another via sloppy verification is the failure mode regulators remember.

## When it matters

DSARs matter to every organization under modern privacy law — which is every organization with EU, UK, California, or Indian customers — and they matter operationally to marketing because marketing's tools hold most of the personal data and least of the documentation. The discipline is preparation: a current data map across the stack, an intake-verification-discovery workflow rehearsed before volume arrives, deletion and correction flows built alongside (the rights travel together), and the cultural one — a DSAR answered well is trust repaired; answered late or wrong, it is a regulator's easiest case.

**Worked example.** A subscription-retail brand receives its first DSAR wave after a breach notification - 240 requests in a month against a process that is one inbox and good intentions. The first response takes 19 days of archaeology across eleven systems and still misses the call recordings; the second arrives at the wrong customer's address, converting one request into one reportable incident. The rebuild treats DSARs as operations: a data map inventories every system holding personal data (the marketing stack contributes seven of fifteen), identity verification scales to sensitivity, a privacy-ops tool connects the big systems for automated discovery, and legal review templates the exemptions. Median response falls to six days; the deletion workflow built alongside handles the requests that follow access like night follows day. The audit's lasting gift is the map itself - the next ESP migration and the next audience-upload decision both consult it, because the company finally knows where its people's data lives.

**Failure modes to watch.** Discovery that misses the marketing stack's sprawl - audience uploads, event streams, call recordings, suppression lists; verification so loose it mails one person's file to another, or so strict it violates the right itself; deadlines tracked nowhere until they pass; access built without the deletion and correction flows that always follow; and treating the grievance inside the request as someone else's department.

## Synonyms & antonyms

### Synonyms

DSARsubject access requestdata access request

### Antonyms

data deletion request (sibling right)unverified disclosure

## Origin & history

The access right predates the acronym — European data-protection law carried it from the 1995 Directive — but GDPR's 2018 arrival, penalty schedule, and one-month clock made DSAR an operational discipline, and the CCPA family plus privacy-ops tooling turned it into standing infrastructure.

Etymology: [source](https://gdpr-info.eu/art-15-gdpr/).

## Usage trends

Search interest for this term over the last five years:

[View interest-over-time on Google Trends →](https://trends.google.com/trends/explore?q=data%20subject%20access%20request&date=today%205-y)

## Common questions

What is a DSAR?
:   A person's formal request to access the personal data an organization holds on them — data, sources, purposes, recipients — anchored in GDPR Article 15 and echoed across the CCPA family and newer regimes.

What are the DSAR deadlines?
:   Roughly 30 days under GDPR and 45 under CCPA-style laws, extendable once with notice — the clock starts at receipt, not at readiness.

Why are DSARs hard for marketing teams?
:   Personal data sprawls across the marketing stack — ESPs, CDPs, audience uploads, analytics events, call recordings — and discovery without a data map is archaeology on a statutory deadline.

## Related tools & calculators

- tool[CAC calculator](/tools/cac-calculator/)
- tool[LTV:CAC calculator](/tools/ltv-to-cac-ratio-calculator/)

## Resources & people to follow

- reference[GDPR Article 15 — right of access](https://gdpr-info.eu/art-15-gdpr/)
- referencePrivacy-operations practice literature (DSAR workflows)
- referenceRGM analysis — the data map converts DSARs from archaeology to lookup; build deletion alongside access

Curated, non-competitor resources verified per term.

## Related training

- module[Performance marketing](/training/performance-marketing-foundations/)

## Disciplines

Areas of marketing where data subject access request (dsar) is a core concern:

[Performance marketing](/training/performance-marketing-foundations/)[Growth strategy](/training/growth-marketing-foundations/)

## Read next

## Related terms

[GDPR](/glossary/gdpr/)[CCPA](/glossary/ccpa/)[DPDPA](/glossary/dpdpa/)[First-party data](/glossary/first-party-data/)[CRM](/glossary/crm/)

## Sources

1. trends[Google Trends — "data subject access request"](https://trends.google.com/trends/explore?q=data%20subject%20access%20request&date=today%205-y)
