Person learning artificial intelligence skills on a laptop in a modern workspace

How to Handle Data Subject Access Requests (DSARs) Correctly Under POPIA

Quick Answer

To handle data subject access requests (DSARs) properly under POPIA, set up clear steps to receive, verify, and respond to requests on time. Confirm the requester’s identity, find the personal data they want, and send it securely in a clear format. Keep track of each request and avoid sharing extra information to stay compliant in South Africa.

If you’ve never handled DSARs before, it might feel tricky at first. But with basic steps and workplace procedures, you can protect your customers’ and employees’ personal data while following the law. This guide will walk you through practical tips for managing DSARs effectively in a South African business context.

What Is a Data Subject Access Request (DSAR)?

A DSAR is when someone—like an employee, client, or supplier—asks to see what personal information your organisation holds about them. Under South Africa’s Protection of Personal Information Act (POPIA), they have the right to access this data. It’s your responsibility to respond clearly, safely, and on time.

Responding quickly and correctly is important because it shows you respect privacy rights and it avoids legal problems or fines. If you ignore or delay requests, you risk damaging trust or facing penalties.

Step 1: Set Up a Simple DSAR Procedure

Start by writing down how your organisation will handle DSARs. Decide how requests should come in – by email, website form, or post – and who on your team will manage them. Everyone involved needs basic training so they recognize DSARs and know what to do next.

Include clear ways to verify the person asking for the information. This helps prevent accidental disclosure of somebody else’s data. For example, you might ask for a copy of their South African ID or confirm details they already gave you.

Step 2: Acknowledge and Track Each Request

As soon as you get a DSAR, respond quickly to confirm receipt in writing. Let them know when they can expect a reply. POPIA expects responses without unreasonable delay, usually within 30 calendar days. Getting back faster is better for building a good relationship.

Keep a log of all requests including dates, who requested data, what info was asked for, and how you handled it. This helps keep things organised and proves your compliance later on.

Step 3: Find and Review the Data Carefully

Once you’ve confirmed who’s asking, find all the relevant personal info – this could be stored in emails, IT systems, paper files, or backups. Be thorough so you don’t miss anything important.

Check the data for information about other people or sensitive details. You may need to remove or hide those parts to protect privacy and follow POPIA’s rules about fair data use.

Step 4: Deliver the Data Safely and Clearly

Send the data back in a clear way that the requester can understand. Digital formats like PDFs sent via secure, encrypted email work well, but printed copies sent by locked mail is also an option.

Include a brief explanation about where the data came from, why you collect it, and how they can ask for corrections if anything is wrong. This helps build trust and shows you’re serious about data protection.

Common Pitfalls to Avoid When Handling DSARs

Don’t ignore or delay the initial acknowledgement—it risks legal trouble. Weak identity checks can expose personal info to the wrong people. Incomplete data searches don’t fulfil the request fully, which can lead to complaints. Poor record-keeping makes it harder to prove you’re following POPIA. Finally, only share what’s asked for, no extra info.

Example: Handling a DSAR from an Employee

Say an employee asks HR for all their personal data. HR confirms the employee’s identity and notes the request date. They collect files like employment contracts, leave records, and emails related to the employee. Any info about coworkers is redacted to keep their privacy safe. The final information is emailed securely within 21 days along with a note explaining data use and correction rights.

FAQ

What is the time limit to respond to a DSAR under POPIA?
POPIA expects organisations to respond without undue delay, typically within 30 calendar days after receiving the request.
Can organisations charge fees for responding to DSARs?
Yes, but only reasonable fees to cover administrative costs. Fees shouldn’t be too high or discourage requests, and it’s good to inform the requester about any charges upfront.
How should identity verification be done for a DSAR?
Use documents like South African ID, passports, or official letters. The level of verification depends on how sensitive the data is and should always protect privacy.
What if a DSAR asks for data that includes other people’s information?
You must carefully assess if sharing third-party data is allowed. Personal details of others are usually redacted unless you have consent or a legal reason to share.

Handling DSARs correctly is an important part of POPIA compliance, but it’s just one piece of the puzzle. To build strong data protection skills and keep your organisation compliant with South African laws, consider taking the Free POPIA & Data Protection Compliance Course with Certificate from EduCourse. This beginner-friendly online course covers all you need to know, from DSARs to data breach response, in practical South African workplace terms.

Naledi Mokoena
Naledi Mokoena

Naledi Mokoena is a workplace training specialist and educational content writer at EduCourse, where she develops practical learning resources focused on office administration, workplace communication, digital skills, productivity, and professional development.

With a strong focus on modern workplace expectations in South Africa, her work helps learners strengthen essential office skills, improve professional confidence, and build knowledge that supports long-term career growth. Her content combines practical workplace insight with accessible online learning designed for both new and experienced professionals.

Articles: 7848