Subject access (DSAR) workflow tested
Demonstrate that the organization has documented and successfully tested its DSAR workflow to validate functional completeness, accuracy, timeliness, and compliance with applicable privacy regulations.
Description
What this control does
This control validates that the organization has designed, documented, and operationally tested its Data Subject Access Request (DSAR) workflow to ensure timely, accurate, and complete responses to individual rights requests under privacy regulations such as GDPR, CCPA, or similar. Testing verifies that the workflow correctly identifies relevant systems, retrieves personal data, applies exemptions appropriately, and delivers responses within regulatory timeframes. Effective DSAR processes reduce regulatory penalties, prevent unauthorized disclosures, and demonstrate accountability to supervisory authorities.
Control objective
What auditing this proves
Demonstrate that the organization has documented and successfully tested its DSAR workflow to validate functional completeness, accuracy, timeliness, and compliance with applicable privacy regulations.
Associated risks
Risks this control addresses
- Failure to respond to DSARs within regulatory deadlines (e.g., 30 days under GDPR) resulting in fines and enforcement action
- Incomplete data retrieval causing omission of personal data in DSAR responses and violation of individual rights
- Excessive or unauthorized data disclosure when responding to DSARs, exposing third-party information or trade secrets
- Inability to locate or retrieve personal data across disparate systems due to inadequate data mapping or inventory
- Manual or undocumented DSAR processes leading to inconsistent handling, errors, or missed requests
- Lack of verification mechanisms allowing fraudulent DSARs to result in unauthorized data access
- Delays or failures in workflow handoffs between legal, IT, and business units causing regulatory non-compliance
Testing procedure
How an auditor verifies this control
- Obtain the documented DSAR workflow, including process flowcharts, standard operating procedures, roles and responsibilities matrix, and timeline requirements for each stage.
- Review the data inventory or data mapping documentation that supports DSAR fulfillment, verifying coverage of all systems, databases, and repositories processing personal data.
- Select a sample of completed DSAR test cases or production DSAR tickets from the past 12 months, ensuring representation of different request types (access, rectification, erasure, portability).
- Trace each sampled DSAR through the workflow stages: intake, identity verification, data search and retrieval, legal review, redaction or exemption application, and final delivery.
- Verify that identity verification procedures were applied consistently and documented for each sampled request, confirming authentication methods meet regulatory standards.
- Confirm that response timelines documented in each sampled case comply with applicable regulatory deadlines, including any extension notifications sent to requestors.
- Interview DSAR workflow participants (privacy team, IT, legal) to validate understanding of procedures, escalation paths, and exception handling protocols.
- Examine evidence of the most recent end-to-end DSAR workflow test (e.g., tabletop exercise or simulated request), reviewing test scenarios, findings, remediation actions, and management sign-off.
Where this control is tested