If you’re leading on privacy, you already know the drill: A Data Subject Access Request (DSAR) lands in your inbox. The clock starts ticking. You’ve got a month to respond- maybe less, depending on how the request came in.

Most teams start scrambling at that point. And that’s the problem.

The reality is, many DSAR workflows fail before anyone even reads the request. Not because privacy teams don’t care,but because the basics aren’t in place. The workflow may look fine on paper, but in practice, it can’t withstand real-world pressure.

Let’s break down why.

1. You don’t know where your data is

If your team can’t confidently answer, “Where is this person’s data?” within 10 minutes, you’ve already lost time. And you’re not alone. Most organisations still rely on best guesses, scattered spreadsheets or memory.

That might get you through one DSAR. Maybe two. But it won’t hold if requests come in back-to-back or from someone who knows their rights and expects a complete, precise response.

Data mapping isn’t a one-off exercise. It’s a living, evolving process. Emails, shared drives, chat logs, CRM systems, mobile devices. If you haven’t done a recent sweep, there’s a good chance something will be missed. 

And that’s where every broken  DSAR workflow begins. 

2. The search process is manual, inconsistent or both

Let’s say you do find where the data lives. Now what?

This is where things slow down again. Searching email inboxes manually. Asking IT to pull files. Hoping someone remembers what happened to an old SharePoint folder. Meanwhile, the deadline doesn’t care.

Even teams  with tools in place often don’t have search playbooks. This means every request is a new learning curve. You waste time figuring it out again. And again.

Search shouldn’t be reinvented with every request. . You need tools configured. You need standard queries. You need to know how to deal with common names or fuzzy matches. Without that, your workflow breaks under pressure.

3. Nobody owns the full process

This one’s subtle but deadly. DSARs touch privacy, legal, IT and sometimes HR. But when no one owns the whole process from start to finish, delays creep in. Questions get bounced around. Tasks fall through the cracks. 

One person or team needs to lead the request. End to end. Not just manage bits of it. Without a clear owner, you lose time and accountability.

And if the person who usually handles it is on holiday, things grind to a halt. That’s not a workflow. That’s a wishful thinking .

4. Redaction is an afterthought

This is where even well-oranised teams get tripped up. They collect the data, sometimes quickly, sometimes thoroughly. But they forget the redaction step until the very end. Or worse, they rush it and get it wrong. 

Third-party information, internal conversations, legal notes — these need careful handling. . If they slip through, you risk breaching someone else’s privacy just to satisfy a DSAR.

Good redaction takes time. It requires clear rules and trained eyes. Doing it in a rush invites mistakes.

5. There’s no feedback loop

Most teams never review how well the DSAR went. No reflection. No improvement. No lessons learned.

So the same delays, confusion or stress repeat every single time.

You wouldn’t run a marketing campaign or product launch without reviewing what worked and what didn’t. But DSARs often get treated as one-offs — even though they keep coming.

Your DSAR process should include mock requests. Regular drills. Spot audits. And a simple way to track metrics like turnaround time, common errors or repeat issues. Otherwise, you’re flying blind.

The fix isn’t fancy tech

Most DSAR problems aren’t caused by a lack of expensive software. They’re caused by missing structure.

You need a map of where your data lives. You need a clear workflow. You need tools that are actually used — not just bought. You need staff who know what to do. And you need to test the process when it’s quiet, not just when a request comes in.

That’s it.

No jargon. No gold-plated dashboards. Just the basics done well.

Want to get a great 4 week process?

We’ve built a practical DSAR Handling Toolkit for privacy, IT and legal teams. It walks you through the key areas — mapping, searching, redaction, training, and governance — one week at a time.

It’s not theoretical. It’s not a sales pitch for software. It’s a real plan with real checklists, real templates and real results.

If you’ve ever scrambled to finish a DSAR on time, this is for you.

Download the Monthly DSAR Handling Improvement Toolkit here and start building a process that works before the next request hits your inbox.