Data Subject Access Requests: Handling Process – A Comprehensive Guide for Australian Organizations

/ Cyber Governance Risk And Compliance / By

In today’s data-driven landscape, organizations face increasing regulatory pressure to protect individual privacy rights while maintaining operational efficiency. Data Subject Access Requests (DSARs) represent a cornerstone of modern privacy legislation, granting individuals fundamental rights over their personal data. For Australian organizations, understanding and implementing robust DSAR handling processes is not just a compliance requirement but a critical business imperative.

The regulatory landscape continues to evolve rapidly, with organizations facing substantial penalties for non-compliance. Under GDPR regulations, failing to respond to data subject requests can result in fines up to €20 million, while CCPA violations can incur penalties of up to $7,500 per incident. This underscores the critical importance of establishing comprehensive DSAR handling processes that ensure timely, accurate, and legally compliant responses.

Recent statistics reveal a significant upward trend in DSAR usage globally. In 2024, 36 percent of internet users worldwide exercised their Data Subject Access Request rights, representing a notable increase from 24 percent in 2022 according to Statista in “Share of internet users worldwide who have exercised their rights to Data Subject Access Request (DSAR) from 2022 to 2024.”1 This 17% year-over-year growth indicates that individuals are becoming increasingly aware of their privacy rights and are actively exercising them, creating heightened operational demands for organizations worldwide.

Understanding Data Subject Access Requests

A Data Subject Access Request constitutes a formal request from an individual (data subject) to an organization (data controller) regarding the processing of their personal data. These requests encompass various rights, including the right to access, rectify, restrict processing, delete, or receive personal data in a portable format. The General Data Protection Regulation (GDPR) and similar privacy frameworks, including the California Consumer Privacy Act (CCPA), establish specific obligations for organizations to respond substantively to these requests within prescribed timeframes.

The scope of DSARs extends beyond simple data retrieval. Organizations must consider insights generated by their systems, system-generated logs, and data processed through third-party services. This comprehensive approach ensures complete transparency while maintaining operational integrity and security standards.

According to Microsoft’s official documentation in Data Subject Requests and the GDPR and CCPA,2 several processes may be involved in completing a DSAR, including discovery (determining what data is needed), access (retrieval and potential transmission), rectification (implementing requested changes), restriction (limiting access or processing), export (providing data in machine-readable format), and deletion (permanent removal from systems).

Current Trends and Statistics

The landscape of data subject rights continues to expand significantly. ISACA’s 2024 analysis in The Evolving World of Data Privacy Trends and Strategies,3 highlights that privacy laws are granting individuals increasingly robust control over their data, emphasizing rights such as the “right to be forgotten,” data portability, and the ability to opt out of data collection. Organizations must adapt their processes to accommodate these expanding rights, which often require sophisticated technical and operational capabilities. 

The Australian context presents unique considerations, with the Office of the Australian Information Commissioner (OAIC) reporting in its Latest Notifiable Data Breaches statistics for July to December 2024,4 that malicious or criminal attacks are a leading cause of data breaches. This connection between cybersecurity and privacy protection emphasizes the importance of secure DSAR handling processes that protect both organizational data and individual privacy rights during the response process.

Regulatory Framework and Compliance Requirements

The regulatory framework governing DSARs varies across jurisdictions, but common elements include strict response timeframes and comprehensive documentation requirements. While GDPR typically mandates a 30-day response period, some U.S. state privacy laws allow extended timeframes, with Iowa permitting up to 90 days and other states requiring responses within 45 days.

ISACA’s 2024 guidance emphasizes the need for organizations to expand privacy rights handling processes for intake, verification, tracking, fulfillment, and appeals to include new rights and response periods mandated by evolving state privacy laws. This requires organizations to maintain flexible, scalable systems capable of adapting to changing regulatory requirements.

The National Institute of Standards and Technology (NIST) has updated its Privacy Framework in 2025, per its NIST Updates Privacy Framework, Tying It to Recent Cybersecurity Guidelines,5 tying it more closely to recent cybersecurity guidelines. This integration reflects the growing recognition that privacy and cybersecurity are interconnected disciplines requiring coordinated approaches to risk management and compliance.

Technical Implementation Framework

Implementing effective DSAR handling processes requires robust technical infrastructure capable of discovering, accessing, and processing personal data across diverse systems and platforms. Microsoft’s approach, as documented in its compliance frameworks, provides insight into industry best practices for technical implementation.

The discovery process represents the foundation of DSAR handling, requiring organizations to identify all locations where personal data may be stored. This includes structured databases, unstructured file systems, email archives, backup systems, and cloud storage platforms. Microsoft’s Purview portal and similar enterprise solutions provide centralized capabilities for data discovery across hybrid and multi-cloud environments.

Access and export processes must ensure data integrity while providing information in formats that are “structured, commonly used, and machine-readable” as required by GDPR Article 20. Organizations must balance transparency requirements with security considerations, implementing appropriate authentication and authorization controls throughout the process.

System-generated logs present particular challenges for DSAR handling. According to Microsoft’s documentation, logs and related data generated by systems may contain personal data under GDPR definitions. However, restricting or rectifying data in system-generated logs is generally not supported due to the need to maintain historical integrity and prevent fraud or security risks.

Operational Processes and Workflows

Effective DSAR handling requires well-defined operational processes that ensure consistent, timely, and accurate responses. The workflow typically begins with request intake and validation, followed by identity verification, scope determination, data discovery, processing, and response delivery.

Request intake systems must capture essential information including the requestor’s identity, contact information, specific rights being exercised, and any relevant details about the data in question. Organizations should implement standardized intake forms and channels to ensure consistency and completeness of information collection.

Identity verification represents a critical security control, preventing unauthorized access to personal data while ensuring legitimate requestors can exercise their rights effectively. Organizations must balance security requirements with accessibility, implementing proportionate verification measures based on the sensitivity of the data and the nature of the request.

Scope determination involves clarifying exactly what data and processing activities are covered by the request. This step often requires communication with the requestor to ensure mutual understanding and appropriate expectations regarding the response.

Security and Privacy Considerations

DSAR handling processes must incorporate robust security controls to protect personal data throughout the response lifecycle. This includes secure data transmission, access controls, audit logging, and secure data disposal when necessary.

The Australian Cyber Security Centre (ACSC), in its Securing customer personal data,6 emphasizes the importance of strong security measures in protecting against data breaches. Organizations handling DSARs must implement comprehensive security frameworks that protect both the personal data being processed and the broader organizational systems and data assets.

Data minimization principles apply throughout the DSAR handling process. Organizations should only collect, process, and disclose personal data that is directly relevant to fulfilling the specific request, avoiding over-broad data gathering or unnecessary data retention.

Encryption plays a critical role in protecting personal data during DSAR processing. Data should be encrypted both in transit and at rest, with appropriate key management practices ensuring ongoing protection throughout the response process.

Technology Solutions and Automation

Modern DSAR handling increasingly relies on automated solutions to manage scale, ensure consistency, and reduce response times. Microsoft’s Priva Subject Rights Requests solution exemplifies how technology can streamline and automate fulfillment of requests for personal data while maintaining appropriate human oversight and control.

Automation can significantly improve efficiency in data discovery, classification, and processing phases of DSAR handling. However, organizations must maintain appropriate human review and decision-making authority, particularly for complex requests or those involving sensitive data.

Integration with existing enterprise systems, including identity management, data governance, and compliance platforms, enables comprehensive DSAR handling capabilities that leverage existing organizational investments and capabilities.

Risk Management and Mitigation

DSAR handling processes introduce various operational and compliance risks that organizations must actively manage. These include the risk of incomplete responses, unauthorized data disclosure, system security vulnerabilities, and regulatory non-compliance.

IBM’s approach to DSAR handling, as documented in their Storage Protect for Cloud solutions,7 emphasizes the importance of comprehensive data discovery and secure deletion capabilities. Their methodology includes discovering all copies of data across Exchange Online, SharePoint Online, and OneDrive backups, followed by permanent deletion of user-generated backups and associated data.

Organizations should implement comprehensive risk assessment frameworks that evaluate potential impacts of DSAR handling processes on both individual privacy rights and organizational operations. This includes considering the risks associated with data retention, processing delays, and potential system vulnerabilities.

Cost and Resource Planning

DSAR handling requires significant organizational resources, including dedicated personnel, technology systems, and ongoing operational costs. Organizations must develop realistic budgets and resource allocation strategies that account for both routine DSAR handling and potential spikes in request volumes.

Organizations with mature DSAR handling capabilities typically invest some of of their IT budgets in privacy and data protection technologies. However, the cost of non-compliance can far exceed these investments, with regulatory fines and reputational damage representing substantial financial risks.

Resource planning should account for the cross-functional nature of DSAR handling, which typically involves legal, IT, security, and business operations teams. Effective coordination and communication among these stakeholders is essential for efficient and compliant response processes.

Future Trends and Developments

The DSAR landscape continues to evolve rapidly, with emerging technologies, regulatory changes, and shifting consumer expectations driving continuous adaptation requirements. Artificial intelligence and machine learning technologies are increasingly being applied to automate data discovery, classification, and processing tasks.

The ISACA’s 2024 research aforementioned, highlights the expanding scope of data subject rights, with new privacy laws granting individuals greater control over their personal data. Organizations must prepare for increasingly complex rights and obligations, including enhanced transparency requirements and expanded individual control mechanisms.

The integration of privacy and cybersecurity frameworks, as exemplified by NIST’s updated Privacy Framework, reflects the growing recognition that these disciplines must work together to provide comprehensive protection for individuals and organizations.

Measuring Success and Continuous Improvement

Organizations must establish key performance indicators (KPIs) and metrics to measure the effectiveness of their DSAR handling processes. These typically include response time metrics, accuracy measures, requestor satisfaction scores, and compliance indicators.

Continuous improvement processes should incorporate feedback from requestors, internal stakeholders, and regulatory guidance updates. Regular review and optimization of DSAR handling processes ensure ongoing effectiveness and adaptation to changing requirements.

Benchmarking against industry standards and peer organizations provides valuable insights for process improvement and resource optimization. Organizations should participate in industry forums and privacy professional networks to stay current with best practices and emerging trends.

Conclusion

Effective DSAR handling represents a critical capability for modern organizations operating in increasingly complex regulatory environments. Success requires comprehensive technical, operational, and governance frameworks that balance individual privacy rights with organizational operational requirements and security considerations.

The increasing volume and complexity of DSARs, combined with evolving regulatory requirements, necessitate ongoing investment in technology, processes, and personnel capabilities. Organizations that proactively develop mature DSAR handling capabilities will be better positioned to manage compliance risks while building trust with customers and stakeholders.

Australian organizations face particular challenges in navigating the intersection of privacy compliance and cybersecurity requirements. The Australian Cyber Security Centre’s emphasis on comprehensive security measures aligns with the need for secure, efficient DSAR handling processes that protect both individual privacy and organizational data assets.

Looking forward, organizations must prepare for continued evolution in privacy rights and regulatory requirements. Those that invest in flexible, scalable DSAR handling capabilities today will be better equipped to adapt to future changes while maintaining operational efficiency and regulatory compliance.

References

  1. Statista. (2024). Share of internet users worldwide who have exercised their rights to Data Subject Access Request (DSAR) from 2022 to 2024. https://www.statista.com/statistics/1440867/dsar-exercised-internet-users-global/ ↩︎
  2. Microsoft. (2025). Data Subject Requests and the GDPR and CCPA. https://learn.microsoft.com/en-us/compliance/regulatory/gdpr-data-subject-requests ↩︎
  3. Gagan K. ISACA. (2024). The Evolving World of Data Privacy Trends and Strategies. ISACA. https://www.isaca.org/resources/news-and-trends/industry-news/2024/the-evolving-world-of-data-privacy-trends-and-strategies ↩︎
  4. Office of the Australian Information Commissioner (OAIC). (2024). Latest Notifiable Data Breaches statistics for July to December 2024. https://www.oaic.gov.au/news/blog/latest-notifiable-data-breaches-statistics-for-july-to-december-2024 ↩︎
  5. The National Institute of Standards and Technology (NIST). (2025). NIST Updates Privacy Framework, Tying It to Recent Cybersecurity Guidelines. https://www.nist.gov/news-events/news/2025/04/nist-updates-privacy-framework-tying-it-recent-cybersecurity-guidelines ↩︎
  6. Australian Cyber Security Centre (ACSC). (2025). Securing customer personal data. Australian Signals Directorate. https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/small-business-cybersecurity/securing-customer-personal-data ↩︎
  7. IBM. (2025). Storage Protect for Cloud solutions. https://www.ibm.com/docs/en/spfc?topic=storage-protect-cloud-microsoft-365 ↩︎

At Christian Sajere Cybersecurity and IT Infrastructure, we understand the complexity of implementing compliant DSAR handling processes. Our specialized expertise in privacy technology and cybersecurity enables Australian organizations to build robust, automated DSAR capabilities that protect individual rights while maintaining operational efficiency. Let us help you navigate this critical compliance requirement with confidence.

Related Blog Posts

  1. Securing Event-Driven Architectures: A Comprehensive Guide for Modern Organizations
  2. Integration of Vulnerability Management with DevOps
  3. Cross-Border Data Transfer: Legal Requirements
  4. Privacy by Design: Implementation Framework for Modern Organizations
  5. Security Awareness Program Design: Beyond Compliance
  6. Vulnerability Management for Third-Party Applications: A Critical Security Imperative
  7. Securing API Gateways in Cloud-Native Architectures