What are record-keeping obligations for DSAR responses?

Organizations should maintain comprehensive records of all DSARs and responses for compliance documentation and process improvement. For each request, record: when it was received (date and channel), who made the request (identity and verification method), what data was requested (full SAR or specific data types), when and how you responded, what information was provided, and any extensions or exemptions applied. This documentation proves you handled requests appropriately if regulators or the requesters themselves later question your compliance.

Retention periods for DSAR records should extend long enough to cover potential complaints or enforcement actions. While neither GDPR nor most other regulations specify exact retention periods for DSAR documentation, keeping records for 5-7 years aligns with typical limitation periods for complaints. Store enough detail to reconstruct what happened. If ua regulator asks two years later why you took six weeks to respond, you should be able to explain the complexity that justified the extension.

Beyond individual request records, maintain aggregate metrics and process documentation. Track how many requests you receive, average response times, common data types requested, and any patterns in requests (such as spikes following certain campaigns or communications). This data helps identify process improvements and demonstrates systematic compliance. Document your DSAR handling procedures. The upolicies, workflows, and systems you use, so you can show that your compliance isn't ad hoc but follows established processes. Good record-keeping for DSARs serves two purposes: proving you handled each request properly, and demonstrating you have mature processes for handling all requests.