Free GDPR Resources

Download free checklists, guides, and templates to help your business handle DSARs and stay GDPR compliant.

DSAR Checklists

📋 FREE

DSAR Response Checklist

30-day timeline checklist ensuring you never miss a deadline or step.

View Checklist
🔍 FREE

Data Discovery Checklist

Find all personal data across your business systems.

View Checklist
🔒 FREE

Redaction Checklist

What to redact (and what not to) when responding to DSARs.

View Checklist

📖 GDPR Guides

📝 GUIDE

DSAR for SMEs: Complete Guide

Everything small business owners need to know about handling DSARs.

View Guide
GUIDE

DSAR Mistakes That Lead to Fines

Common errors and how to avoid them based on real DPC decisions.

View Guide
📈 GUIDE

DSAR Cost Calculator

Calculate your true DSAR costs and potential savings from automation.

Use Calculator

📄 Response Templates

📧 TEMPLATE

DSAR Acknowledgement Email

Professional template for acknowledging receipt of a DSAR.

View Template
📝 TEMPLATE

Identity Verification Letter

Request additional identity verification when needed.

View Template
TEMPLATE

DSAR Response Cover Letter

Professional cover letter template for delivering DSAR responses.

View Template

DSAR Response Checklist

Day 0: Request Received

  • ☐ Log request with date/time received
  • ☐ Calculate 30-day deadline
  • ☐ Send acknowledgement within 24 hours
  • ☐ Assign case owner

Days 1-3: Verification

  • ☐ Verify requester identity
  • ☐ Confirm request type (access, deletion, correction, etc.)
  • ☐ Clarify scope if unclear
  • ☐ Document verification method

Days 4-14: Data Collection

  • ☐ Search all relevant systems
  • ☐ Export data from each source
  • ☐ Check email and file shares
  • ☐ Request data from third parties if needed
  • ☐ Document data sources searched

Days 15-21: Processing

  • ☐ Review all collected data
  • ☐ Redact third-party personal data
  • ☐ Check for exemptions (legal, harm, etc.)
  • ☐ Prepare response document

Days 22-28: Review

  • ☐ Quality review by second person
  • ☐ Verify completeness
  • ☐ Check all redactions
  • ☐ Prepare delivery method

Day 29-30: Delivery

  • ☐ Send response via secure method
  • ☐ Include cover letter explaining response
  • ☐ Log completion date
  • ☐ Store case documentation

Tip: SAR Portal automates most of this checklist. Try it free for 14 days.

Data Discovery Checklist

Core Business Systems

  • ☐ CRM (Salesforce, HubSpot, etc.)
  • ☐ Email marketing platform
  • ☐ E-commerce platform
  • ☐ Accounting software
  • ☐ HR/Payroll system
  • ☐ Customer support tickets

Communication Systems

  • ☐ Email (inbox and sent folders)
  • ☐ Slack/Teams messages
  • ☐ Video call recordings
  • ☐ Phone call logs/recordings
  • ☐ SMS/WhatsApp business

File Storage

  • ☐ Shared drives (Google Drive, OneDrive)
  • ☐ Local computer files
  • ☐ Backup systems
  • ☐ Paper files (scan if needed)

Often Forgotten

  • ☐ CCTV footage
  • ☐ Access logs/badge records
  • ☐ Website analytics (if identifiable)
  • ☐ Social media DMs
  • ☐ Third-party tools with personal data
  • ☐ Old/archived systems

Tip: Create a data map document listing all systems and data types for quick reference during DSARs.

Redaction Checklist

What to Redact (Third-Party Data)

  • ☐ Other people's names
  • ☐ Other people's email addresses
  • ☐ Other people's phone numbers
  • ☐ Other people's addresses
  • ☐ Other people's ID numbers
  • ☐ Information that could identify others indirectly

What NOT to Redact

  • ☐ The requester's own personal data
  • ☐ Staff names acting in professional capacity (usually)
  • ☐ Company/organisation names (not personal data)
  • ☐ Public information

Redaction Quality Checks

  • ☐ Search for all instances of each name/identifier
  • ☐ Check headers, footers, and metadata
  • ☐ Verify redactions are permanent (not just visual overlays)
  • ☐ Review redacted document in different viewers
  • ☐ Confirm no partial redactions reveal information

Common Mistakes to Avoid

  • ☐ Don't redact using black highlight (text still underneath)
  • ☐ Don't forget email CC/BCC fields
  • ☐ Don't miss names in email signatures
  • ☐ Don't overlook document properties/metadata
  • ☐ Don't leave initials that identify individuals

Tip: SAR Portal's AI automatically detects and redacts third-party data. Try it free.

DSAR Guide for SMEs

What is a DSAR?

A Data Subject Access Request (DSAR) is when someone asks to see what personal data you hold about them. Under GDPR, you must respond within 30 days.

Who Can Make a DSAR?

  • Customers (current or former)
  • Employees (current or former)
  • Website visitors (if you have their data)
  • Anyone whose data you process

What Must You Provide?

  • Confirmation you hold their data
  • A copy of all personal data you hold
  • Why you're processing it
  • Who you've shared it with
  • How long you'll keep it
  • Their rights (deletion, correction, etc.)

The 30-Day Deadline

The clock starts when you receive the request - not when you read it. You can extend by 2 months for complex requests, but you must tell the requester within 30 days and explain why.

What Happens If You Don't Comply?

  • Complaint to Data Protection Commission
  • Potential fines starting at €10,000+
  • Reputational damage
  • Legal action from the individual

Need help? SAR Portal guides you through every step. Start your free trial.

DSAR Mistakes That Lead to Fines

Mistake 1: Missing the Deadline

The Problem: Responding after 30 days without valid extension.

The Fix: Log requests immediately and track deadlines centrally. Set reminders at 14, 7, and 3 days.

Mistake 2: Incomplete Response

The Problem: Not searching all systems or "forgetting" certain data.

The Fix: Maintain a data inventory. Search every system systematically. Document what you searched.

Mistake 3: Sharing Third-Party Data

The Problem: Accidentally including other people's personal data in the response.

The Fix: Review every document. Redact all third-party information. Use AI tools to catch what humans miss.

Mistake 4: No Audit Trail

The Problem: Can't prove you handled the request properly when challenged.

The Fix: Log every action with timestamps. Keep records of what was searched, provided, and when.

Mistake 5: Excessive ID Requirements

The Problem: Demanding unnecessary verification that blocks legitimate requests.

The Fix: Only verify identity when you have reasonable doubt. Email confirmation is often sufficient.

Avoid all these mistakes with SAR Portal's guided workflows. Try it free.

DSAR Acknowledgement Email Template

Copy and customise this template for acknowledging DSAR receipt:

Subject: Acknowledgement of Your Data Request - [Reference Number] Dear [Name], Thank you for your data subject access request received on [DATE]. We are writing to confirm receipt of your request under the General Data Protection Regulation (GDPR). Your reference number is: [REFERENCE] What happens next: 1. We will verify your identity to protect your data 2. We will search our systems for your personal data 3. We will prepare a response within 30 days of [DATE] If we need any additional information to process your request, we will contact you. Your deadline date: [DATE + 30 DAYS] If you have any questions, please contact us at [EMAIL] quoting your reference number. Kind regards, [Your Name] [Company Name] Data Protection Contact

Tip: SAR Portal sends acknowledgements automatically when requests are received.

Identity Verification Letter Template

Use when you need to verify the requester's identity:

Subject: Identity Verification Required - DSAR [Reference Number] Dear [Name], Thank you for your data subject access request dated [DATE]. To protect your personal data, we need to verify your identity before we can process your request. This is required under GDPR Article 12(6). Please provide ONE of the following: - Reply to this email from the email address we hold on file for you - Provide the last 4 digits of the payment card used with us - Confirm your date of birth and postal address Important: Please do NOT send copies of passports, driving licences, or other ID documents unless specifically requested. Once we verify your identity, we will process your request within the statutory timeframe. If you have any questions, please contact us at [EMAIL]. Kind regards, [Your Name] [Company Name]

Tip: SAR Portal includes OTP verification, eliminating most ID verification steps.

DSAR Response Cover Letter Template

Include this cover letter when delivering DSAR responses:

Subject: Your Data Subject Access Request - Complete Response Dear [Name], Further to your data subject access request dated [DATE], please find enclosed the personal data we hold about you. What's included: - [List of data types/documents provided] - [E.g., Account information, transaction history, correspondence] Data sources searched: - [List systems searched, e.g., CRM, email, accounting system] Information about your data: - Purpose of processing: [Why you hold this data] - Legal basis: [Consent/Contract/Legitimate interest] - Retention period: [How long you keep it] - Recipients: [Who you share it with, if anyone] Your rights: You have the right to: - Request correction of inaccurate data - Request deletion of your data (in certain circumstances) - Object to processing - Lodge a complaint with the Data Protection Commission If any information is unclear or you believe we have missed something, please contact us at [EMAIL]. Kind regards, [Your Name] [Company Name] Data Protection Contact

Ready to automate? SAR Portal generates compliant responses automatically. Start free trial.

Want to Automate Your DSAR Process?

SAR Portal handles intake, verification, AI redaction, and audit trails automatically.

Start Free Trial See How It Works