A.7.3.4 / GDPR Art. 15 GDPR Article 15 / ISO/IEC 27701:2019

DSAR process tested

Demonstrate that the organization periodically tests its DSAR process end-to-end and can successfully locate, compile, and deliver personal data in response to simulated subject access requests within regulatory deadlines.

Description

What this control does

This control validates that an organization's Data Subject Access Request (DSAR) process is periodically tested to confirm it can identify, retrieve, and deliver personal data to requestors within regulatory timeframes. Testing typically involves simulating requests across systems, verifying search coverage, measuring response times, and confirming redaction or format requirements. This ensures compliance with GDPR Article 15, CCPA Section 1798.110, and similar privacy statutes while identifying gaps in data inventories or retrieval workflows before an actual request arrives.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Failure to locate personal data in shadow systems or unmanaged repositories during actual DSAR requests, resulting in incomplete responses and regulatory penalties
Inability to meet statutory timelines (e.g., 30 days under GDPR, 45 days under CCPA) due to inefficient search procedures or unclear ownership
Inadvertent disclosure of third-party personal data or confidential business information through inadequate redaction or filtering during data compilation
Regulatory enforcement action and fines for non-compliance with access request obligations under GDPR, CCPA, or other privacy laws
Reputational damage and loss of consumer trust when data subjects escalate incomplete or delayed DSAR responses to supervisory authorities
Data inventory drift where production systems are no longer reflected in privacy records, rendering DSARs inaccurate or incomplete
Staff confusion or delays during actual requests due to lack of rehearsal, unclear procedures, or outdated runbooks

Testing procedure

How an auditor verifies this control

Obtain the documented DSAR procedure, including roles, timelines, search scope, and escalation paths.
Review the data inventory and systems register to confirm all processing activities and personal data repositories are listed and current.
Identify the most recent DSAR simulation or test exercise documentation, including test date, scenario, and participants.
Verify that the test simulated a realistic request (e.g., full access request from a consumer) and included at least two distinct data systems or repositories.
Examine evidence that the test measured response time from request receipt to data delivery and compare this to regulatory deadlines.
Validate that the test output was reviewed for completeness, accuracy, and proper redaction of third-party data or privileged information.
Confirm that any gaps, delays, or errors identified during the test were documented in a findings log or corrective action plan.
Check that DSAR testing occurs at a defined frequency (e.g., annually, after major system changes) per privacy program policy or compliance obligations.

Evidence required Collect DSAR test reports or simulation exercise summaries showing request scenarios, systems queried, data compiled, and elapsed time. Obtain corrective action plans or remediation tickets documenting issues discovered during testing. Gather timestamped screenshots or logs showing test request submission, data retrieval queries, and final output packages, along with the data inventory or processing register used to scope the search.

Pass criteria The control passes if the organization has conducted a documented DSAR simulation within the last 12 months that successfully identified and retrieved personal data from all in-scope systems within regulatory timelines, and any identified deficiencies were tracked and remediated.

Where this control is tested

Audit programs including this control

PII Data Discovery

You cannot protect what you cannot find. Quick check of PII discovery, mapping and minimisation.