Quick Answer
To handle data subject access requests (DSARs) properly under POPIA, set up clear steps to receive, verify, and respond to requests on time. Confirm the requester’s identity, find the personal data they want, and send it securely in a clear format. Keep track of each request and avoid sharing extra information to stay compliant in South Africa.
If you’ve never handled DSARs before, it might feel tricky at first. But with basic steps and workplace procedures, you can protect your customers’ and employees’ personal data while following the law. This guide will walk you through practical tips for managing DSARs effectively in a South African business context.
What Is a Data Subject Access Request (DSAR)?
A DSAR is when someone—like an employee, client, or supplier—asks to see what personal information your organisation holds about them. Under South Africa’s Protection of Personal Information Act (POPIA), they have the right to access this data. It’s your responsibility to respond clearly, safely, and on time.
Responding quickly and correctly is important because it shows you respect privacy rights and it avoids legal problems or fines. If you ignore or delay requests, you risk damaging trust or facing penalties.
Step 1: Set Up a Simple DSAR Procedure
Start by writing down how your organisation will handle DSARs. Decide how requests should come in – by email, website form, or post – and who on your team will manage them. Everyone involved needs basic training so they recognize DSARs and know what to do next.
Include clear ways to verify the person asking for the information. This helps prevent accidental disclosure of somebody else’s data. For example, you might ask for a copy of their South African ID or confirm details they already gave you.
Step 2: Acknowledge and Track Each Request
As soon as you get a DSAR, respond quickly to confirm receipt in writing. Let them know when they can expect a reply. POPIA expects responses without unreasonable delay, usually within 30 calendar days. Getting back faster is better for building a good relationship.
Keep a log of all requests including dates, who requested data, what info was asked for, and how you handled it. This helps keep things organised and proves your compliance later on.
Step 3: Find and Review the Data Carefully
Once you’ve confirmed who’s asking, find all the relevant personal info – this could be stored in emails, IT systems, paper files, or backups. Be thorough so you don’t miss anything important.
Check the data for information about other people or sensitive details. You may need to remove or hide those parts to protect privacy and follow POPIA’s rules about fair data use.
Step 4: Deliver the Data Safely and Clearly
Send the data back in a clear way that the requester can understand. Digital formats like PDFs sent via secure, encrypted email work well, but printed copies sent by locked mail is also an option.
Include a brief explanation about where the data came from, why you collect it, and how they can ask for corrections if anything is wrong. This helps build trust and shows you’re serious about data protection.
Common Pitfalls to Avoid When Handling DSARs
Don’t ignore or delay the initial acknowledgement—it risks legal trouble. Weak identity checks can expose personal info to the wrong people. Incomplete data searches don’t fulfil the request fully, which can lead to complaints. Poor record-keeping makes it harder to prove you’re following POPIA. Finally, only share what’s asked for, no extra info.
Example: Handling a DSAR from an Employee
Say an employee asks HR for all their personal data. HR confirms the employee’s identity and notes the request date. They collect files like employment contracts, leave records, and emails related to the employee. Any info about coworkers is redacted to keep their privacy safe. The final information is emailed securely within 21 days along with a note explaining data use and correction rights.
FAQ
What is the time limit to respond to a DSAR under POPIA?
Can organisations charge fees for responding to DSARs?
How should identity verification be done for a DSAR?
What if a DSAR asks for data that includes other people’s information?
Handling DSARs correctly is an important part of POPIA compliance, but it’s just one piece of the puzzle. To build strong data protection skills and keep your organisation compliant with South African laws, consider taking the Free POPIA & Data Protection Compliance Course with Certificate from EduCourse. This beginner-friendly online course covers all you need to know, from DSARs to data breach response, in practical South African workplace terms.





