Answers / Risk & Compliance

How do you handle a data subject access request (DSAR)?

A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.

THE SHORT ANSWER

(1) Verify identity of the requester. (2) Log the request with timestamp (Art. 15 GDPR: respond within 1 month). (3) Search all systems for the individual’s data. (4) Compile: what data we hold, why, who we share it with, retention periods, and source of data. (5) Redact third-party data if necessary. (6) Provide response in a commonly used electronic format. (7) Document the process and close the request.

WHAT INTERVIEWERS LISTEN FOR

  • Verify identity first
  • Log request and track timeline
  • Search all systems comprehensively
  • Redact third-party data
  • Respond within one month

COMMON MISTAKES

  • Failing to verify identity
  • Missing the one-month deadline
  • Not searching all systems

Reading isn't the same as answering under pressure.

Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.

TRY QUICKFIRE →Or train full Risk & Compliance case simulations →

RELATED QUESTIONS