For most of data privacy’s short history, regulations lived in one place. The EU’s General Data Protection Regulation (GDPR) defined the rules, and if your organization processed personal data belonging to EU residents, you followed them.
That era is over. A growing number of U.S. states have comprehensive privacy laws in effect, each granting individuals formal rights over their personal data. Brazil, Canada, Australia, and dozens of other jurisdictions have followed suit. The result: if your organization collects personal data, someone can ask you what you have, why you have it, and what you’re doing with it. That ask is a data subject request.
Understanding DSRs in 2026
The GDPR established that individuals have a fundamental right to access and control their personal data. Organizations that collect and determine how that data is used, called data controllers under the GDPR, must honor those rights when asked.
What changed between 2018 and 2026 isn’t the principle. It’s the scope. Privacy laws on every continent have now adopted similar rights with different rules, timelines, and enforcement mechanisms. Organizations operating across jurisdictions can no longer treat DSRs as a single-framework exercise.
What Is a DSR (and What Is a DSAR)?
A data subject request (DSR) is a formal request from an individual to exercise any of their privacy rights over personal data held by an organization. Think of DSR as the umbrella term.
You’ll also see the term data subject access request (DSAR), which refers specifically to requests where someone wants to see what personal data an organization holds about them. Access requests are the most common type of DSR, but they’re not the only one. This guide uses DSR when referring to rights requests generally and DSAR when discussing access rights specifically.
Across most privacy laws, DSRs cover similar categories of rights. An individual may ask an organization to provide access to their personal data, correct inaccurate information, delete their data, restrict or stop certain processing, transfer their data to another controller in a portable format, or opt out of the sale or sharing of their information.
Under the GDPR, organizations have 30 days to respond, with extensions up to 90 days in complex cases. U.S. state laws typically set 30-to-45-day response windows, though extension rules and exemptions vary. Missing these deadlines carries real consequences. France’s CNIL fined telecom provider FREE €300,000 after 41 complaints revealed persistent failures to respond to access and erasure requests, and the EDPB’s 2024 coordinated enforcement action across 30 EEA countries found that a lack of documented internal procedures was the most common obstacle to compliance among the 1,185 controllers investigated.
Who Can File a DSR?
When the GDPR launched, DSRs were primarily an EU concern. That’s no longer the case.
Any individual protected by an applicable privacy law can file a DSR with an organization that processes their data, even if that organization is based in a different country or state. Under the GDPR, that includes anyone whose data is processed in connection with offering goods or services in the EU. Under U.S. state laws, it means residents of states with comprehensive privacy statutes, a list that now includes California, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and more. Many of those laws also allow consumers to submit DSRs through authorized agents.
The practical effect is that most companies with any meaningful online presence now field DSRs from multiple jurisdictions, each with different requirements around response timelines, appeals processes, and exemptions. Managing those differences is one of the more persistent privacy compliance challenges organizations face.
How to Respond to a DSR
If someone files a DSR with your organization, the response process follows a general framework, though the specifics depend on the applicable law and the type of request.
Accept the request. Provide a clear, accessible way for individuals to submit DSRs, whether through a web form, email address, or centralized portal. Mature programs support jurisdiction routing, separate paths for consumers and employees, and intake for authorized agent submissions.
Verify identity. Before disclosing personal data, confirm the requester is who they claim to be. Fraudulent access requests have been a concern since the day the GDPR took effect. Verification should be proportionate to the sensitivity of the data, relying on existing data where possible rather than collecting new sensitive information.
Locate responsive data. Personal data tends to be spread across internal systems, SaaS tools, data warehouses, and service providers, whether you’re operating in healthcare, fintech, retail, or any other sector that handles consumer data at scale. Without continuous system discovery and accurate records of processing, the search becomes the bottleneck.
Review and act. Not every request is straightforward. Access requests may require redaction to protect the rights of third parties. Deletion requests may be subject to legal holds or retention obligations. Some U.S. state laws distinguish between general and sensitive personal data, which can affect handling. Review each request, apply the appropriate limits, and take the required action.
Respond within the deadline. Deliver the response securely and within the applicable timeframe. Document the entire process: verification steps, systems searched, exemptions applied, and the final response. If a request is denied, several U.S. state laws require you to offer an appeals process.
Although data subject rights are traditionally exercised via forms, emails, or telephone calls, many states also require businesses to recognize universal opt-out mechanisms like the Global Privacy Control (GPC), which function as automated opt-out requests. Colorado was the first state outside California to formally approve GPC as its recognized universal opt-out mechanism, and in September 2025 the attorneys general of Colorado, California, and Connecticut launched a joint investigative sweep targeting businesses that failed to honor GPC signals. These automated signals are DSRs by another name, and your program needs to account for them.
Automating DSRs with DataGrail
Manual DSR handling is no longer viable in 2026. The operational challenge behind DSRs isn’t understanding the rights. It’s executing them consistently and accurately across every system that touches personal data, under laws that keep evolving.
For organizations requiring privacy with precision, DSR software built for automation makes the difference between a program that scales and one that breaks.
DataGrail Request Manager provides data subject request automation across the full lifecycle. Branded intake forms funnel requests into a centralized dashboard. DataGrail’s robust verification options authenticate requesters using data you already have, without requiring government IDs or selfies. From there, DSAR automation takes over: DataGrail searches across hundreds of connected systems to locate personal data, then orchestrates access, deletion, and opt-out requests automatically. What used to take days of coordination across legal, IT, and engineering can be completed by one person in minutes.
Enterprise privacy teams looking for DSAR software that scales with volume benefit from centralized management, deadline tracking, and audit trails documenting every step from intake to response. No-code setup means your team is operational in weeks.
To see how it works, request a demo.
Sources:
Information Commissioner’s Office (ICO), United Kingdom. “Right of access.” UK GDPR Guidance and Resources.
European Data Protection Board (EDPB). “CEF 2024: EDPB identifies challenges to the full implementation of the right of access.” January 16, 2025.
European Data Protection Board (EDPB). “Respect individuals’ rights.” SME Data Protection Guide.
European Commission. “What is personal data?“
National Conference of State Legislatures (NCSL). “2024 Consumer Data Privacy Legislation.”
Commission Nationale de l’Informatique et des Libertés (CNIL), France. “Data security and individual rights: FREE fined 300,000 euros.”
Commission Nationale de l’Informatique et des Libertés (CNIL), France. “Sanctions and corrective measures: CNIL’s actions in 2024.“
Colorado Attorney General. “Universal Opt-Out and the Colorado Privacy Act.“
Colorado Attorney General. “Colorado Privacy Act (CPA).“
