Security · Data Quality · CRM Strategy
What is a data subject access request (DSAR), and how does a CRM handle one?
The short answer
A data subject access request (DSAR) is a formal request from a person — under GDPR, CCPA, and similar laws — asking to see, correct, or delete the personal data a company holds on them. A CRM handles one by locating every record tied to that person across contacts, deals, notes, and email history, then exporting, correcting, or deleting it within the legally required window, which is usually 30 days.
An email arrives asking a company to delete everything it holds on the sender, citing GDPR. Legal forwards it to whoever owns the CRM, and the clock is already running — most privacy laws give companies 30 days to respond. Finding every trace of one person across contacts, deal history, email logs, and notes scattered by several reps over several years isn’t a search anyone wants to be doing manually under a deadline.
What is a data subject access request?
A data subject access request (DSAR) is a legally protected request an individual can make to see what personal data a company holds about them, correct it if it’s wrong, or have it deleted — rights granted under regulations like the EU’s GDPR, California’s CCPA, and similar laws elsewhere. It’s distinct from a general customer inquiry: a DSAR triggers a legal obligation with a fixed deadline, not just a request a support rep can deprioritize.
How does a CRM handle one?
Handling a DSAR well means being able to answer three questions quickly for any named individual: what data exists, where it lives, and how to act on it.
- Locate every record tied to that person — not just their contact record, but related deals, notes, logged emails, call transcripts, and any custom fields or enrichment data appended from a third-party source.
- Export it in a readable format if the request is to see the data, or correct specific fields if the request is to fix inaccurate data.
- Delete or anonymize it if the request is for erasure — which needs to cascade across every related record, not just the primary contact, and account for audit trail entries that themselves reference the person.
- Log the request and its resolution, since regulators can ask for proof that requests were fulfilled within the required window, not just that they were fulfilled at all.
Most modern CRMs support at least a “find all records for this email address” search and a bulk export/delete action; fewer handle cascading deletion into linked systems (marketing automation, support tools, data warehouses) automatically, which is often the harder part in practice.
What happens if a request is ignored?
Missing the response window, or fulfilling it incompletely, is a genuine compliance failure with real financial penalties under GDPR and CCPA — not just a customer-service lapse. That’s why DSAR handling belongs to whoever owns CRM data governance, with a documented process, rather than sitting as an ad hoc task assigned to whichever rep happens to see the email first.
What should you do next?
If a DSAR arrived today, time how long it would actually take to find and act on every record tied to one person’s email address across your CRM and connected tools. If the honest answer is “longer than the legal deadline allows,” that’s the gap to close before a real request arrives.
Keep reading
Security · Data Quality
What is a CRM audit trail, and why does it matter?
What is a CRM audit trail and why does it matter? How change logs track who edited what data, and why that matters for compliance and trust.
Security · Buyer Guides
What happens to your data when you cancel a CRM subscription?
What happens to your data when you cancel a CRM subscription? Export windows, formats, and deletion policies vary widely and matter before you sign up.
CRM Strategy · Explainers
What is a custom object in a CRM, and how is it different from a custom field?
What is a custom object in a CRM, and how is it different from a custom field? A new record type for data that doesn't fit contacts, deals, or accounts.
CRM Strategy · Data Quality
What is reverse ETL, and how does it get warehouse data into your CRM?
What is reverse ETL? A process that pushes data from a warehouse back into a CRM, so reps see product usage and billing data on the contact record.