GDPR DSAR Response Checklist for Small Businesses (2026)

A practical, step-by-step checklist to help you respond to data subject access requests correctly and on time. Designed for business owners, office managers, and IT admins.

📅 Response Timeline

Day 0
Request received
Days 1-3
Log & verify
Days 4-20
Gather & redact
Days 21-30
Review & send

1 Phase 1: Immediate Actions (Days 1-3)

  • Log the request Record the date received, requester's name, email, and what they've asked for
  • Set the deadline Calculate 30 calendar days from receipt (not working days)
  • Acknowledge receipt Send a brief confirmation that you've received the request
  • Verify identity Confirm the requester is who they claim to be before processing
  • Assess the request Is it clear? Do you need to ask for clarification?

2 Phase 2: Data Gathering (Days 4-20)

  • Search email systems Search for emails to/from/about the data subject
  • Search CRM/database Customer records, contact details, purchase history
  • Check HR systems If employee request: personnel files, payroll, performance records
  • Check shared drives Documents, spreadsheets, presentations mentioning them
  • Check third-party systems Marketing platforms, payment processors, support systems
  • Check paper files Physical documents, signed forms, printed correspondence

3 Phase 3: Redaction (Days 15-25)

🔒 Critical step

You must redact third-party personal data before sending. Failure to do so is a data breach.

  • Identify third-party data Names, emails, phone numbers of other people in documents
  • Redact permanently Use proper redaction tools — not just highlighting or white boxes
  • Check metadata Remove hidden data in documents (author names, track changes)
  • Review redactions Have a second person check the redacted documents

Read the full redaction guide →

4 Phase 4: Response (Days 21-30)

  • Prepare cover letter Explain what data you're providing and required GDPR disclosures
  • Include processing information Purpose, legal basis, recipients, retention period, rights
  • Compile response package Cover letter + all relevant personal data documents
  • Final review Check everything is complete and correctly redacted
  • Send securely Encrypted email, secure portal, or tracked post

5 Phase 5: Record Keeping

  • Save the original request Keep the email/form with timestamp
  • Document identity verification How you confirmed who the requester was
  • Log search activities What systems were searched, when, by whom
  • Keep redaction records What was redacted and why
  • Save response copy Copy of everything you sent with date/time
  • Retain for appropriate period Keep records for at least 6 years (statute of limitations)

See a sample evidence pack →

🔗 Related Guides

🚨

Just Received a DSAR?

15-minute action plan to get started immediately

📖

Complete DSAR Guide

Everything you need to know about responding

Redaction Guide

How to redact third-party data correctly

Missed the Deadline?

What to do if you've passed the 30-day deadline

Want to automate this checklist?

SAR Portal tracks every step automatically — deadlines, verification, redaction, and audit evidence. Never miss a step.

Try SAR Portal Free

14-day free trial. No credit card required.

Handle DSARs the right way

SAR Portal guides you through every step of GDPR compliance — from request intake to final response.

Start Free Trial See How It Works