How to Answer a DSAR in 30 Minutes Instead of Three Days
The clock on a data-subject access request (DSAR) starts the moment it arrives: under GDPR you have one month to respond. For an organisation that knows where personal data lives, that’s comfortable. For one that doesn’t, it’s a scramble — people digging through drives, forwarding each other files, hoping they didn’t miss the folder that turns a routine request into a complaint to the regulator.
The difference between 30 minutes and three days isn’t effort. It’s preparation.
Why DSARs feel hard
A DSAR asks a simple-sounding question: “What personal data do you hold about me?” Answering it means finding every file that mentions a specific person — across documents, spreadsheets, PDFs, emails, images and archives, on laptops and shared drives.
That’s hard for the same reason data mapping is hard: personal data spreads. One person’s details might be in a contract, three email threads, a scanned form, a spreadsheet row and an old export nobody remembers. Miss any of them and your response is incomplete — which is itself a compliance failure.
The scramble happens because the finding is done reactively, under time pressure, by hand.
The shift: find data by pattern, ahead of time
The organisations that answer DSARs calmly do one thing differently: they can locate personal data on demand, because they’ve already mapped where it lives and they scan by pattern, not by memory.
When a request comes in for “Anna Andersson,” you don’t rely on people remembering which files mention her. You search structurally — her name, her email, her national ID, her phone number — across the same repositories you’ve already inventoried. What used to be a department-wide hunt becomes a targeted scan.
A DSAR-ready routine
You can build this readiness without a big programme:
- Know your repositories. List where personal data actually lives: the shared drives, the mail stores, the specific Macs. You can’t scan what you haven’t mapped.
- Scan those repositories regularly for personal data — not for one person, but to keep a current picture of what kinds of personal data are where. This is your data map, and it doubles as DSAR preparation.
- When a request arrives, scan for that individual’s identifiers across the mapped repositories: name, email, national ID, phone, account numbers.
- Review the hits and assemble the response. Redact third-party data, apply exemptions, and export what’s disclosable.
- Keep a record of what you searched and what you found — your evidence that the response was thorough.
Done this way, the request that used to eat three days becomes a scan and a review.
Doing it without exposing more data
There’s a trap worth naming: in the rush to answer a DSAR, people sometimes upload files to a cloud tool to “search them faster.” That increases exposure of the very personal data you’re trying to handle responsibly — and can create a second problem while solving the first.
A DSAR is only a fire drill if you’re finding the data for the first time when the request lands. Map it once, keep the map current, and the next request is a half-hour job — not a three-day one.
Disclosure: I make GDPR File Audit, a Mac app for on-device personal-data scanning — but the approach above works with any tool that scans locally.