Calling Brisbane home since 2016 Get in Touch
Company Home About Pricing Case Studies Blog Guides Contact
AI Consulting
Company
HomeAboutPricingCase StudiesBlogGuidesContact
Get in Touch
Analytics intermediate 60-90 minutes

How to Create a Data Subject Access Request Process

Learn how to build a compliant and efficient process for handling data access requests from your customers in accordance with privacy laws.

Angus 28 January 2026

# How to Create a Data Subject Access Request (DSAR) Process

In an era where data privacy is paramount, your customers want to know exactly what information you hold about them. While Australia’s Privacy Act 1988 has long dictated how we handle personal information, global standards like the GDPR have raised the bar, and Australian small businesses are now expected to provide clear, accessible pathways for customers to request their data. Failing to have a process in place isn't just a compliance risk; it’s a trust issue for your brand.

Establishing a formal Data Subject Access Request (DSAR) process ensures that when a customer asks, "What do you know about me?", you can answer accurately, legally, and professionally without a last-minute scramble.

Prerequisites

Before you start, ensure you have the following:
  • A Data Inventory: A basic list of where you store customer data (e.g., Shopify, Mailchimp, Xero, or your CRM).
  • Privacy Policy: Access to your current policy to update it with new instructions.
  • Internal Access: Admin permissions for the software tools your business uses.

---

Step 1: Designate a Privacy Lead

Even in a small Brisbane-based team, someone needs to own this process. If everyone is responsible, no one is. Designate a staff member (or yourself) as the point of contact for privacy enquiries. This person will be responsible for receiving requests, verifying identities, and gathering the data.

Step 2: Create a Dedicated Intake Channel

Don't let data requests get lost in your general 'info@' inbox. Create a specific email address (e.g., privacy@yourbusiness.com.au) or a dedicated contact form on your website. Screenshot Description: You should see a simple web form with fields for 'Full Name', 'Email Address used for our services', and a checkbox to confirm they are requesting a copy of their personal data.

Step 3: Develop an Identity Verification Protocol

You must ensure the person requesting the data is who they say they are. However, avoid asking for more sensitive data (like a scan of their passport) if you don't already hold it.
  • Pro Tip: Use 'known data points' for verification. Ask them to confirm their most recent purchase date or the last four digits of the phone number on file.

Step 4: Map Your Data Touchpoints

To fulfil a request, you need to know where to look. Create a checklist of all platforms where customer data might live:
  • Email Marketing: Mailchimp, ActiveCampaign, etc.
  • E-commerce/POS: Shopify, Square, WooCommerce.
  • Accounting: Xero, MYOB.
  • Analytics: Google Analytics (User ID tracking).
  • Customer Support: Zendesk or Gmail folders.

Step 5: Define the Format of the Response

Under Australian privacy principles, you should provide the data in the manner requested if it is reasonable to do so. Generally, a machine-readable format like a CSV or a structured PDF is best. Most modern platforms (like Shopify or HubSpot) have a 'Export Customer Data' button that makes this easy.

Step 6: Draft a Response Template

Consistency is key. Draft a polite email template that acknowledges the request, explains what data is being provided, and lists any data that was not included (and why, such as for legal or security reasons).

Warning: Never include data relating to other people in your response. If a customer's file contains notes mentioning another client's name or details, those must be redacted.

Step 7: Establish a Timeline

While the Australian Privacy Act suggests responding within a "reasonable period" (usually 30 days), it's best practice to acknowledge the request within 48 hours. Set internal calendar reminders to ensure no request goes past the 30-day mark.

Step 8: Update Your Privacy Policy

Now that you have a process, tell people about it. Update your Privacy Policy on your website to include a section titled "How to Access Your Information." Provide the email address or link to the form you created in Step 2.

Step 9: Create a DSAR Log

For compliance and auditing, maintain a simple spreadsheet (or a secure digital log) of all requests. Record:
  • Date received
  • Requester name
  • Verification method used
  • Date fulfilled
  • Format provided

Step 10: Train Your Staff

Ensure your customer-facing team knows what a DSAR is. If a customer mentions "I want my data" over the phone or via social media DM, your staff should know exactly which link or email address to direct them to.

---

Common Mistakes to Avoid

Charging a Fee: In most cases under Australian law, you should not charge a fee for making a request. While you may charge a highly reasonable* administrative fee for the actual act of providing the data, it is generally discouraged for small businesses as it creates friction and looks poor for your brand.
  • Being Overly Bureaucratic: Don't make the customer jump through unnecessary hoops. If they are logged into their account, that should be verification enough.
  • Forgetting Third-Party Apps: If you use a third-party app for loyalty programs or bookings, remember that their data is also part of your responsibility.

Troubleshooting

"What if I can't find any data for them?" Double-check spelling and alternative email addresses. If you truly have nothing, respond politely stating that after a thorough search of your systems (list them), no personal information was found associated with their details. "The customer is asking for their data to be deleted, not just accessed." This is a 'Right to Erasure' or 'Right to be Forgotten.' While Australian law is slightly different from the EU's GDPR on this, it is best practice to comply where possible, provided you don't need to keep the data for tax (ATO) or legal reasons. "I'm worried about sending sensitive info via email." If the data is sensitive, use a secure file-sharing service with a password (sent via a different channel like SMS) or a tool like Dropbox Transfer that expires after one download.

Next Steps

Now that your DSAR process is live, why not audit your data collection to ensure you aren't holding onto more than you need? Reducing the data you keep reduces the work you have to do when a request comes in!

If you need help setting up advanced tracking or ensuring your Google Analytics setup is privacy-compliant, contact the team at Local Marketing Group.

PrivacyComplianceData ManagementSmall Business

Related Guides

intermediate 45-60 minutes

How to Calculate and Improve Customer Lifetime Value

Read Guide
advanced 4-6 hours

How to Create Predictive Analytics Models for Marketing

Read Guide
intermediate 30-45 minutes

Mastering GA4 Cross-Domain Tracking: A Step-by-Step Guide

Read Guide

Ready to implement this?

Our team can handle it for you:

Primary Analytics and reporting Also helpful Campaign performance tracking

Need Help With This?

Our team can help you implement this and more. Book a free consultation.

Book Free Consultation