DSARs demystified: What every organisation needs to know about Data Subject Access Requests

Data Subject Access Requests (DSARs) are a fundamental right under data protection law, allowing individuals to access the personal data organisations hold about them. Handling DSARs efficiently and lawfully is essential to maintain compliance and build trust with clients and employees.

What is a Data Subject Access Request?

A Data Subject Access Request (DSAR) is a request made by an individual (the data subject) to an organisation, asking for access to the personal data that the organisation holds about them. Under the UK General Data Protection Regulation (UK GDPR), every individual has the right to know what information is being collected, why it’s being processed, and who it’s being shared with.

• Any individual can make a DSAR, including employees, customers, clients and job applicants.
• Requests can be made in any form, including an email, a letter, or verbally.
• There is no requirement for the request to mention “DSAR” or reference data protection law.

Why are DSARs important?

DSARs are a cornerstone of data privacy. They give people the power to check what data is held about them, ensure it’s accurate, and challenge any misuse. For organisations, handling DSARs properly is not just a legal obligation, it’s a sign of respect for privacy and a way to build trust.

DSARs empower individuals to:

• understand what data is held about them;
• verify the lawfulness of data processing;
• request corrections or deletions if data is inaccurate or unlawfully processed.

Common challenges in handling Data Subject Access Requests

• Large volumes of data, which may be across multiple systems.
• Unstructured data (e.g. emails, chat logs).
• Repetitive or excessive requests.
• Balancing the requester’s rights with the privacy of other individuals the data may reference.
• Some documents may be protected by legal privilege and may be exempt from disclosure.

The risks of ignoring or mishandling a DSAR

Responding to DSARs isn’t just a box-ticking exercise. Ignoring or mishandling a Data Subject Access Request can have serious consequences. The Information Commissioner’s Office (ICO) can investigate complaints and issue fines. Even beyond regulatory action, failing to respect DSARs can damage your reputation and erode trust with clients and employees.

Preparing for the future of Data Subject Access Requests

As data protection laws evolve and individuals become more aware of their rights, DSARs are only going to become more common. Organisations that invest in robust data management and have clear processes in place for managing DSARs will be better positioned to handle requests efficiently and stay compliant.