The Privacy & Compliance Review

DSAR COMPLIANCE
The Clock Is Already Running: What Organisations Must Know About DSAR Response Deadlines

Missing a Data Subject Access Request deadline is not a procedural hiccup, it is a compliance failure with direct regulatory consequences. Here is what every data controller and privacy officer must understand before the next request lands in their inbox.

In the evolving landscape of data privacy law, few obligations carry as immediate and measurable a compliance risk as the Data Subject Access Request, commonly known as the DSAR. It is the formal mechanism by which individuals exercise one of the most fundamental rights granted under modern privacy legislation: the right to know what personal data an organisation holds about them, how it is being used, and who it has been shared with. For organisations operating in Ghana, across the African continent, or within the European Union's sphere of influence, honouring this right within prescribed timeframes is not optional. It is the law.

Yet despite growing regulatory awareness, a surprising number of organisations continue to treat DSAR timelines as a loose guideline rather than a strict legal obligation. The consequences of this misunderstanding can be severe, ranging from regulatory investigations and administrative fines to reputational damage that erodes the very trust that modern businesses depend on. This article examines the applicable deadlines, the frameworks that govern them, and the practical steps organisations should adopt to remain consistently compliant.

What Is a DSAR and Who Can Submit One?

A Data Subject Access Request is a formal written, or in many jurisdictions, verbal, request made by an individual to an organisation asking for access to the personal data held about them. The person making the request, referred to in legal terms as the 'data subject,' may be a customer, an employee, a job applicant, a patient, a citizen, or any other individual whose data the organisation processes. The right is broad, personal, and non-negotiable: the data subject does not need to provide a reason, and the organisation cannot require justification as a condition for compliance.

Once received, regardless of the channel through which it arrives, whether by email, letter, phone, or online form, the DSAR sets a regulatory clock in motion. That clock does not pause for weekends, staff holidays, or internal administrative delays. It begins at the moment of receipt, and it runs until a complete, lawful response has been delivered.

"The clock starts the moment the request is received. Not when it is assigned. Not when it is logged. Not when it is escalated. The moment it is received."

Data Protection Compliance Principle
The Legal Frameworks: Ghana's Act 843 and the GDPR

Two primary frameworks are relevant to organisations operating in or connected to Ghana and Europe respectively. Both impose clear response obligations, though their specific timelines differ in detail.

Ghana's Data Protection Act, 2012 (Act 843) is the cornerstone of domestic data privacy law in Ghana. Administered by the Data Protection Commission, Act 843 establishes the rights of data subjects and the corresponding obligations of data controllers. Under this framework, an organisation that receives a DSAR must respond in full within 21 calendar days of receipt. This is a hard deadline. The law does not provide for a standard extension window in the way that some international frameworks do, making prompt internal action all the more critical for organisations subject to Ghanaian jurisdiction.

The General Data Protection Regulation (GDPR) governs data processing within the European Union and applies extraterritorially to organisations worldwide that process the data of EU residents. It sets a response period of one calendar month from the date of receipt, precisely one calendar month, aligned to the date. An organisation that receives a DSAR on the 10th of any given month must provide a complete response by the 10th of the following month.

Understanding the GDPR Extension Provision

The GDPR does permit organisations to extend their response window by up to two additional months where the request is complex or where a single organisation receives a high volume of simultaneous requests. However, this extension is subject to a critical procedural condition that many organisations overlook: the data subject must be notified of the extension within the first calendar month, and the notification must include a clear explanation of the reasons for the delay.

This means the extension is not self-activating. An organisation cannot simply allow the deadline to pass and subsequently justify the delay by citing complexity. If the notification is not sent within the initial one-month window, the extension is forfeited, and the organisation is already in breach. This procedural requirement is not a technicality; it is a substantive compliance obligation designed to ensure data subjects remain informed and empowered throughout the process.

The Real Cost of Non-Compliance
When an organisation fails to respond to a DSAR within the prescribed deadline, the consequences extend well beyond a formal notice from a data protection authority. A data subject who has not received a timely response has the right to lodge a complaint with the relevant supervisory authority, the Data Protection Commission in Ghana, or the applicable national supervisory authority within the EU under the GDPR. These authorities have broad investigative powers and, in the case of GDPR regulators, can impose administrative fines of up to €20 million or four percent of annual global turnover, whichever is higher.

Beyond the financial penalties, regulatory investigations are resource-intensive, time-consuming, and frequently public. For organisations in sectors where trust is a competitive differentiator, banking, healthcare, education, professional services, the reputational implications of a publicised data protection breach can be more damaging than any fine. Customers and clients who discover that their access rights were delayed or ignored are unlikely to view that organisation with confidence again.

KEY COMPLIANCE RISKS AT A GLANCE

• Formal investigation by the Data Protection Commission (Ghana) or EU supervisory authority
• Administrative fines under the GDPR, up to €20 million or 4% of global annual turnover
• Civil claims by data subjects for damage caused by non-compliance
• Mandatory reporting obligations in regulated sectors
• Reputational damage and erosion of institutional trust

Increased regulatory scrutiny in future audits and assessments

Building a DSAR-Ready Organisation
The most effective compliance posture is one that treats DSARs not as infrequent disruptions, but as predictable events that an organisation should be structurally prepared to handle. This requires three fundamental organisational capabilities: detection, process, and documentation.

Detection refers to the organisation's ability to recognise a DSAR wherever it arrives. Data subjects do not always use formal language; a customer who emails to ask "Can you tell me everything you have on me?" has submitted a valid DSAR regardless of whether those specific words appear in the message. Customer-facing staff, whether in reception, customer service, HR, or administration, must be trained to identify and correctly escalate these requests without delay.

Process refers to the internal workflow that activates once a DSAR is identified. This should be documented, assigned to a named responsible officer or team, and accompanied by internal deadline tracking that accounts for the applicable legal framework. The recommended best practice is to set an internal response target that is meaningfully earlier than the legal deadline. A quality, complete response delivered on Day 15 of a 21-day window demonstrates organisational competence and leaves room to address any complications that arise.

Documentation refers to maintaining clear records of every DSAR received, the date of receipt, the steps taken to respond, and the date of dispatch. In the event of a regulatory enquiry, the ability to produce this evidence trail is the difference between a swift resolution and a protracted investigation.

"A quality response sent on Day 15 beats a scrambled one sent on Day 21. Compliance built on urgency is compliance built on fragile ground."

Conclusion: Compliance Is a Culture, Not a Calendar

The DSAR response timeline is, at its core, a test of organisational readiness. It reveals whether a data controller has genuinely internalised the rights of the individuals whose data it holds, or whether data protection is treated as a box-ticking exercise to be attended to when convenient. In a world where data privacy legislation continues to strengthen across Africa and globally, organisations that invest in genuine compliance infrastructure will be better positioned, legally, reputationally, and competitively, then those that do not.

The deadline begins the moment the request is received. The only question is whether your organisation is ready for it.

By Richard Beyemba Yorda: Security Administration Professional/ Certified Data Protection Officer (CDPO) & Political Affairs Commentator.