DSARs From Start to Finish: How to Handle Every Stage Correctly
A Data Subject Access Request, often called a DSAR or SAR, can arrive at any time and through almost any channel. It may come from a customer by email, a former employee during a dispute,...
S
Sheikh Nasim
Jun 15, 2026
11 min read
DSARs From Start to Finish: How to Handle Every Stage Correctly

A Data Subject Access Request, often called a DSAR or SAR, can arrive at any time and through almost any channel. It may come from a customer by email, a former employee during a dispute, a supplier contact through a web form, a parent acting for a child, or a solicitor writing on behalf of an individual. It may not mention “GDPR”, “Article 15”, “data subject access request”, or any legal terminology at all.

From the moment a valid request is received, the organisation needs to respond without undue delay and normally within one month. Many teams refer to this as the SAR 30 day deadline, but under UK GDPR the legal deadline is one calendar month, which can sometimes be shorter or longer than 30 days depending on the month.

Most organisations have a policy that says something about access requests. Far fewer have a tested workflow that covers recognition, verification, searching, review, redaction, exemption analysis, response, and audit trail. This guide explains how to handle a DSAR from start to finish so that no step is missed, no deadline is breached, and no response creates more risk than the original request.

What is a data subject access request and who has the right to make one?

A DSAR is a request from an individual to access their personal data and related information about how it is being used. It is one of the core rights under data protection law.

The right of access under Article 15 UK GDPR: what it is and where it comes from

Article 15 of UK GDPR gives individuals the right to obtain confirmation that their personal data is being processed, access to that data, and supplementary information about the processing. This includes information such as the purposes of processing, categories of personal data, recipients, retention periods, and rights available to the individual.

The purpose of the right is transparency. It allows people to understand what information an organisation holds about them and how it is being used.

Who can submit a DSAR — individuals, children, third-party agents, and legal representatives

A DSAR can be made by the individual whose data is involved. A child can also make a request if they have sufficient understanding. In some cases, a parent or guardian may act on a child’s behalf.

A third-party agent, solicitor, family member, union representative, or other authorised person may also submit a DSAR for someone else. However, the organisation should verify that the third party has authority to act and should consider whether the response should go to the individual or the representative.

What form a DSAR must take and whether it needs to mention GDPR or Article 15 to be valid

A DSAR does not need to follow a special format. It can be made verbally or in writing. It can arrive by email, letter, web form, phone call, social media message, customer support ticket, or internal HR conversation.

The requester does not need to use the words “subject access request.” A message saying “Send me all the information you hold about me” may be a valid DSAR. So may “I want to see my HR file” or “What personal data do you have about me?”

Identifying a DSAR at the point of receipt — including requests that do not look like formal DSARs

The first operational risk is failing to recognise the request. Customer service, HR, reception, sales, support, and line managers may receive DSARs before the privacy team knows about them.

Training is essential. Staff should know the warning phrases, know who to notify, and understand that requests do not need to be formal. A DSAR workflow template should begin with a clear intake route so that any employee can escalate a possible request quickly.

What must an organisation provide in response to a valid DSAR?

A DSAR response is not simply a data dump. It must provide the individual with their personal data and relevant supplementary information, while protecting other people’s rights and applying any lawful exemptions.

The scope of a DSAR: the categories of information the data subject is entitled to receive

A valid DSAR may require the organisation to provide copies of the individual’s personal data. This could include account information, customer records, HR files, emails, call notes, application records, support tickets, system logs, complaint files, performance records, or other data linked to the individual.

The response should also explain how the data is used, who it is shared with, how long it is kept, and what rights the individual has.

The exemptions: the lawful grounds for withholding specific categories of information

There are DSAR exemptions UK GDPR organisations may rely on in specific circumstances. These can include legal professional privilege, management information in certain contexts, confidential references, crime and taxation exemptions, negotiations with the requester, and other legally recognised grounds.

Exemptions should not be applied casually. Each withholding decision should be assessed, documented, and limited to the relevant information. If only part of a document is exempt, the rest may still need to be disclosed.

Third-party data within a DSAR response: the balancing test and redaction decisions

Many DSARs include information about more than one person. Emails, investigation notes, customer complaints, HR records, and chat messages often contain mixed data.

DSAR redaction third party data decisions require care. The organisation must consider whether disclosing the information would reveal another person’s personal data, whether that person has consented, whether disclosure is reasonable, and whether redaction can protect their rights.

Redaction should be consistent and documented. Over-redaction may frustrate the requester and look defensive. Under-redaction may expose third-party privacy rights.

The format and delivery of the response: what “commonly used electronic means” means in practice

If the request is made electronically, the response is usually provided electronically unless the individual requests otherwise. Common formats may include PDF files, CSV exports, secure portal downloads, or encrypted attachments.

Security matters. A DSAR response can contain sensitive personal data. Sending it to the wrong email address, failing to encrypt it, or using an insecure transfer method can create a new data breach.

How should the DSAR process be managed operationally from receipt to response?

A good data subject access request process UK GDPR teams can rely on should be structured, timed, and auditable.

Verifying the identity of the requestor — and the risks of applying excessive verification demands

Organisations can ask for information needed to confirm identity, especially where the data is sensitive or there is reasonable doubt. However, verification must be proportionate.

Do not ask for excessive identification if the person is already known or logged into an authenticated account. Do not collect unnecessary documents “just in case.” Overly demanding verification can delay rights and create additional privacy risk.

The 30-day response deadline: when the clock starts, how extensions work, and what stops it

The organisation must usually respond without undue delay and within one month. The clock normally starts when the request is received, although if identity verification is reasonably required, the period may run from when the necessary identity information is received.

DSAR extension rules allow more time where requests are complex or numerous. In those cases, the response period can be extended by up to two further months, but the individual must be told within the first month and given reasons.

If a request is unclear and clarification is genuinely needed, the organisation may be able to stop the clock while waiting for clarification. This should not be used as a delay tactic.

Searching across systems: email archives, CRM platforms, HR systems, paper files, and chat logs

The search stage is often the hardest part. Personal data may sit in customer relationship management systems, HR platforms, payroll systems, email archives, shared drives, paper files, call recordings, collaboration tools, project management platforms, ticketing systems, and chat logs.

A strong DSAR process relies on data mapping. If the organisation does not know where personal data is held, it will struggle to search effectively.

Logging and tracking active DSARs: accountability and records

A DSAR log should record the request date, requester identity, scope, verification status, systems searched, owners contacted, exemptions considered, redactions made, response date, and outcome.

This log is not the same thing as a Record of Processing Activities under Article 30, but the two are connected. Article 30 records and data maps help identify where to search, while the DSAR log demonstrates how the request was handled.

How should organisations handle complex and contested DSARs?

Some DSARs are straightforward. Others are broad, emotional, strategic, or linked to disputes. These require careful handling.

Manifestly excessive and repetitive requests: the legal test and the available responses

A request may be manifestly excessive DSAR if it is clearly or obviously unreasonable in all the circumstances. A request may also be manifestly unfounded if the individual has no genuine intention to exercise the right or is acting maliciously.

The threshold is high. Organisations need strong evidence. If a request is manifestly unfounded or excessive, the organisation may refuse to comply or charge a reasonable fee, but the decision must be explained and documented.

DSARs submitted during live employment disputes, disciplinary proceedings, or litigation

A DSAR employee HR request is common during grievances, disciplinary processes, redundancy, settlement discussions, or litigation. The motive behind the request does not automatically make it invalid.

Employers should still process the request properly. However, they should carefully review legal privilege, third-party data, management information, confidential references, and negotiation-related exemptions where relevant.

Mixed data: requests involving personal data about multiple individuals simultaneously

Mixed data is common in HR, complaints, safeguarding, education, healthcare, and customer service contexts. One person’s personal data may be inseparable from another’s.

The organisation should consider whether it is reasonable to disclose the information, whether consent is available, whether redaction is possible, and whether the requester’s right of access outweighs the third party’s privacy interests in the circumstances.

Authorised agent requests: verifying authority and determining scope

Where an agent submits a request, verify authority before disclosing information. This may involve a signed authority, proof of representation, or other appropriate evidence.

Also check the scope. A solicitor may ask for “all personal data”, but the authority may relate only to a specific dispute. If authority is unclear, ask for clarification before proceeding.

What happens if a DSAR response is late, incomplete, or formally challenged?

A badly handled DSAR can lead to complaints, enforcement attention, and reputational damage.

ICO enforcement for DSAR failures: what the regulator’s track record on Article 15 shows

The Information Commissioner’s Office, known as the ICO, expects organisations to handle SARs promptly, fairly, and transparently. Late responses, poor searches, excessive identity checks, unjustified refusal, or missing data can all create regulatory concern.

The ICO may ask the organisation to explain its process, provide evidence of searches, justify exemptions, and show how decisions were made.

The data subject’s right to complain and how the ICO complaint process operates

If the individual is unhappy, they can complain to the organisation and then to the ICO. They may say the response was late, incomplete, over-redacted, insecurely delivered, or wrongly refused.

A clear internal review route can sometimes resolve the complaint before it escalates. The organisation should explain decisions clearly and keep a professional tone, even where the request is contentious.

Preparing for an ICO investigation following a DSAR complaint

If the ICO contacts the organisation, the DSAR audit trail becomes essential. You should be able to show when the request was received, how it was verified, which systems were searched, who was consulted, what was redacted, which exemptions were applied, and when the response was sent.

Without evidence, it is difficult to defend the organisation’s handling.

Building a DSAR audit trail that demonstrates accountability and protects the organisation

A good audit trail includes the original request, identity checks, search instructions, system search results, correspondence, decision notes, redaction rationale, exemption analysis, approval records, final response, delivery confirmation, and complaint handling notes.

This is not bureaucracy for its own sake. It protects both the individual and the organisation.

FAQs

Can an organisation charge a fee for responding to a data subject access request?

In most circumstances, no. Organisations usually cannot charge a fee for responding to a DSAR. However, a reasonable fee may be allowed where a request is manifestly unfounded or excessive, or where the individual asks for further copies after the first response.

What is the difference between a DSAR and a Freedom of Information request?

A DSAR is a request by an individual for their own personal data under data protection law. A Freedom of Information request is usually a request for recorded information held by a public authority. The rights, deadlines, exemptions, and scope are different.

How should an organisation handle a DSAR with an impossibly broad scope — “send me everything you hold on me”?

Do not ignore it. First, assess whether you can respond based on your systems and data mapping. If the request is unclear or extremely broad, you may ask the individual to clarify what they are looking for. If the request is complex, an extension may be available. If it is clearly unreasonable in all the circumstances, consider whether the manifestly excessive test applies, but document the reasoning carefully.

Conclusion

A DSAR handled well is an opportunity to show that your organisation takes individual rights seriously. It demonstrates that your privacy programme is not just a policy, but an operational process that works under pressure.

A DSAR handled badly can lead to missed deadlines, insecure disclosures, ICO complaints, internal disputes, regulatory scrutiny, and reputational damage. The difference is process. Organisations need trained staff, clear intake routes, reliable identity checks, documented searches, careful redaction, exemption review, secure delivery, and a complete audit trail.

Stop managing DSARs reactively. Our Handling Data Subject Access Requests DSAR End To End course gives your team a repeatable, defensible process they can use from the first request.

For related learning, explore Data Mapping And Records Of Processing Activities ROPA, Data Retention And Deletion Schedules For Operations Teams, and Privacy Incident Response And Breach Notification Basics.

 

Related Articles
GDPR audit readiness in healthcare with compliance dashboard, staff training records and data protection review
GDPR & European Laws
GDPR in Healthcare: How to Achieve Audit Readiness and Continuous Compliance
GDPR audit readiness healthcare UK is a critical priority for NHS organisations, private healthcare providers, care services, clinics, dental practices, pharmacies and healthcare suppliers. Healthcare organisations process some of the...
Henry Dawson
12 min read
Read More
GDPR compliance for IT professionals with secure data architecture, encryption controls and privacy-by-design practices
GDPR Compliance for IT Professionals: A Practical Training Guide
GDPR compliance for IT professionals UK is not just about knowing what personal data means. It is about understanding how technical decisions affect privacy, security, accountability and risk. Software developers,...
Henry Dawson
11 min read
Read More
IT compliance and GDPR project planning for UK tech teams with data mapping, DPIA updates and compliance tasks
IT Compliance and GDPR: What UK Tech Teams Need to Know
IT compliance GDPR UK responsibilities are now central to the work of developers, infrastructure teams, IT managers and technical support staff. UK General Data Protection Regulation (UK GDPR) is often...
Henry Dawson
12 min read
Read More

Start your learning journey with KitLearn

Discover courses designed to help you grow faster, learn smarter, and achieve more.

Browse Courses Get Started Today