What Is a DSAR? (Data Subject Access Request)

Which regulations create DSAR obligations?

Most major privacy regulations create some form of data subject rights:

• GDPR (EU).Articles 15–21 cover: right of access, rectification, erasure, restriction, portability, and objection. Response deadline: 30 days (1-month extension possible with notice).

• CCPA/CPRA (California).Sections 1798.100–1798.125 cover: right to know, right to delete, right to correct, right to opt-out of sale. Response deadline: 45 days (45-day extension possible with notice).

• LGPD (Brazil).Article 18 covers similar rights to GDPR. Response deadline: 15 days for access confirmation, additional 15 days for full access.

• HIPAA (US Healthcare).§164.524 covers right of access to PHI. Response deadline: 30 days (30-day extension possible).

• PIPEDA (Canada).Section 4.9 covers right of access. Response within a 'reasonable time' (typically interpreted as 30 days).

What a DSAR requires in Salesforce

When a DSAR comes in for a data subject whose records are in your Salesforce org, responding requires:

1. Identify all data.Find every record across the org that contains the data subject's personal information: Contact/Lead/Person Account, related Activities, Cases, Opportunities, custom objects, consent records, field history.

2. Verify identity.GDPR Article 12 requires verifying the identity of the requester before disclosing or deleting data. This protects against fraudulent requests.

3. Assess the request.Determine whether the request must be honored (valid right, correct regulation), may be partially refused (legal hold conflict), or can be refused (exemption applies).

4. Execute the request.For access: generate a readable export. For erasure: cascade deletion across related objects. For portability: generate machine-readable structured data.

5. Document and respond.Communicate the outcome to the data subject and create an audit record of the entire process within the applicable deadline.

The difference between DSAR types

Organizations often conflate different request types. Each has different requirements:

Right of Access (Subject Access Request / SAR).Data subject wants to know what data you hold. Response: provide a copy of all personal data in a readable format, plus information about how it's used.

Right to Erasure (Right to Be Forgotten / RTBF).Data subject wants their data deleted. Response: delete or anonymize all personal data, subject to legal hold exemptions.

Right to Portability.Data subject wants their data in a structured, machine-readable format to take to another service. Response: provide data in CSV, JSON, or similar format. Applies only to data provided by the data subject and processed by consent or contract.

Right to Restriction.Data subject wants processing limited while a dispute is resolved. Response: flag records for restricted processing without deleting them.

Right to Rectification.Data subject wants incorrect data corrected. Response: update the records. This is typically handled manually as it requires judgment about the correct value.

Why DSAR volume is increasing

DSAR volume has grown significantly since GDPR came into force in 2018. Several factors are driving this:

• Consumer awareness of data rights is increasing.privacy regulators actively publicize these rights
• Advocacy organizations file mass DSARs on behalf of groups of data subjects
• Competitive intelligence requests use DSARs to learn what companies know about individuals
• Data breach events trigger spikes of DSAR activity from affected individuals
• Post-regulatory investigation periods see elevated DSAR volume from data subjects checking what was held

Organizations that handle DSARs manually.tracking in spreadsheets, searching Salesforce records by hand, assembling exports in Word.find that manual processes break down above approximately 10–15 requests per month.