A Data Subject Access Request (DSAR) is a formal request from an individual to access the personal data an organisation holds about them. Under Australia’s Privacy Act, individuals have the right to know what data you hold, how you use it, and who you share it with.
And organisations have a legal obligation to respond correctly, and within the required timeframe.
The 30-Day Clock
Once a DSAR is received, your organisation has 30 days to respond. That means locating all personal data held about the individual across every system, including databases, emails, backups, and third-party platforms, then reviewing it for exemptions, redacting appropriately, and delivering a compliant response.
For organisations without proper data governance in place, 30 days is extremely tight.
What Happens If You Get It Wrong
- Regulatory complaints to the Office of the Australian Information Commissioner (OAIC)
- Formal investigations and potential fines
- Reputational damage if non-compliance becomes public
- Loss of customer trust, often the most costly outcome of all
How DPC Helps
Our DSAR Managed Service takes the entire process off your plate. From intake and verification through to data retrieval, redaction, and response, we handle it end-to-end, within compliance requirements, every time.
Need help managing your DSAR obligations? Deliver and Operationalise →
