Get your DSAR process ready

A data subject access request (“DSAR”) can arrive at any time, from any individual whose data you hold, and the clock starts ticking immediately. Much like preparing for an exam, the key to handling a DSAR well, lies in the groundwork done beforehand.

Know your subject: legal requirements under UK GDPR

Article 15 of the UK General Data Protection Regulation (“UK GDPR”) gives individuals the right to confirmation that their personal data is being processed and, if so, access to that data.

They’re also entitled to supplementary information, including:

• The purposes of the processing
• How long the data will be retained
• Who the data has been shared with.

A data subject access request (DSAR) doesn’t need to follow a set format. It can arrive by email, letter, social media or even verbally. Once you receive a valid request, you usually have one calendar month to respond.

That deadline can be extended by up to two further months for complex requests or multiple requests from the same individual. If you do extend, you must tell the requester within the original one-month timeframe and explain why.

The right of access is enforceable. The Information Commissioner’s Office (ICO) can take action where an organisation fails to comply, and individuals may apply to the court for an order or seek compensation.

The practical challenges

While the legal framework is straightforward in principle, challenges often arise in practice. Organisations must carry out a reasonable and proportionate search, and the right of access applies wherever personal data is stored. In reality, data is often spread across email inboxes, shared drives, software platforms, HR systems, archived records and paper files. The ICO expects the same effort to retrieve data from backup systems as from live ones, and there’s no technology exemption.

You may also need to apply exemptions correctly. For example, this may be where disclosure would reveal a third party’s personal data or where legal professional privilege applies. This requires careful, case-by-case judgement rather than blanket redaction.

Your revision plan

Like any effective revision plan, the key is to start before the pressure is on.

1. Establish a documented workflow – set out who receives DSARs, how they’re logged, who coordinates the response, and how it is approved and issued
2. Train staff – make sure people across your organisation can recognise a request and escalate it promptly
3. Keep your records of processing activities up to date – knowing what data you hold and where it sits puts you in a strong position to respond efficiently
4. Test your process – work through a hypothetical DSAR from start to finish to identify gaps or pinch points.

Why the revision pays off

Clear workflows, trained staff and up-to-date records put you in the strongest position to respond confidently and on time. Revision season is already here, so preparation now can save significant stress later.