DSAR Services: How to Handle Data Subject Access Requests Efficiently

A Data Subject Access Request, or DSAR, is a formal request from an individual asking to see the personal data an organisation holds about them. Under UK GDPR, individuals have the right to access their data, understand how it’s being used, and receive a copy – usually free of charge.

DSARs can come from customers, employees, suppliers, or anyone whose data you process. They might arrive by email, letter, or even verbally. Regardless of how they’re submitted, you have a legal obligation to respond within one month (extendable to three months in complex cases, with justification).

For many UK businesses, DSARs are rare. But when one lands in your inbox, it can feel like a legal grenade. You need to act fast, gather the right data, redact sensitive information, and respond in a way that’s both compliant and professional. Get it wrong, and you risk ICO fines, legal action, or reputational damage.

Why DSARs Matter for UK Businesses

DSARs are one of the most common ways individuals exercise their data protection rights. The ICO takes them seriously, and so should you. A poorly handled DSAR can trigger a complaint to the regulator, especially if you miss the deadline, refuse without valid grounds, or provide incomplete information.

But DSARs aren’t just a compliance risk – they’re also an opportunity. Handling them well demonstrates transparency, builds trust, and shows you take privacy seriously. On the flip side, ignoring or mishandling a DSAR can escalate into a full ICO investigation, especially if the requester is persistent or legally represented.

Common DSAR scenarios include:

Former employees requesting copies of emails, performance reviews, or HR records

Customers asking what data you hold after a data breach or privacy concern

Individuals involved in disputes or legal proceedings seeking evidence

Competitors or journalists using DSARs to gather intelligence (yes, this happens)

The DSAR Process: Step-by-Step

Handling a DSAR efficiently requires a clear process. Here’s how to do it right:

Step 1: Verify the Identity of the Requester

Before handing over any data, you need to confirm the requester’s identity. This protects both you and the individual. Ask for proof of identity – a passport, driving licence, or utility bill usually suffices. If the request is submitted by a third party (such as a solicitor), ask for written authorisation from the individual.

Step 2: Clarify the Scope of the Request

Some DSARs are vague: “Send me everything you have on me.” Others are laser-focused: “I want copies of all emails between me and John Smith from January to March 2025.” If the request is unclear, contact the requester and ask them to narrow it down. This saves you time and ensures you provide what they actually want.

Step 3: Search for the Data

This is where it gets messy. You need to search all systems where the individual’s data might be stored: emails, CRM platforms, HR systems, cloud storage, paper files, and even backup servers. Don’t forget less obvious places like Slack messages, WhatsApp groups, or handwritten notes.

For complex requests, consider using e-discovery tools or working with an IT specialist to ensure you don’t miss anything.

Step 4: Redact Third-Party Data

You can only disclose the requester’s personal data, not someone else’s. If an email thread includes other people’s names, opinions, or personal details, you’ll need to redact them. This is time-consuming but essential. The ICO provides guidance on redaction and exemptions to help you get it right.

Step 5: Respond Within the Deadline

You have one month from receipt of the request to respond. If you need more time (up to three months), you must tell the requester within the first month and explain why. Missing the deadline without good reason is a red flag for the ICO.

Your response should include:

A copy of the personal data you hold

Information about how you use it and who you share it with

Details of how long you keep it

Information about the individual’s other rights (e.g. to rectify or erase data)

Common DSAR Challenges and How to Overcome Them

Challenge 1: Excessive or Vexatious Requests

Sometimes, individuals submit repeated or clearly unreasonable DSARs. UK GDPR allows you to refuse these, but you need to document your reasons carefully. If in doubt, seek legal or DPO advice before refusing.

Challenge 2: Data Spread Across Multiple Systems

If your data is scattered across different platforms, gathering it all can be a nightmare. This is why having a clear data inventory (or Record of Processing Activities) is so important. It tells you where to look.

Challenge 3: Balancing Transparency with Confidentiality

You might hold data that reveals confidential business information, trade secrets, or legal advice. In some cases, you can withhold this under exemptions, but you must justify your decision and inform the requester.

How Athlex DSAR Services Can Help

Handling DSARs in-house can be stressful, especially if you’re dealing with your first one or a particularly complex request. At Athlex, we provide expert DSAR support to help you respond quickly, compliantly, and confidently.

Our DSAR services include:

Advice on verifying identity and scoping the request

Guidance on searching for and gathering data

Support with redaction and exemptions

Review of your draft response before you send it

Ongoing support if the requester challenges your response

We also offer DSAR support as part of our Outsourced DPO packages, so you have expert help on hand whenever you need it.

Whether you’re facing your first DSAR or dealing with a tricky repeat requester, we’ll help you handle it efficiently and avoid costly mistakes.

Conclusion

Data Subject Access Requests are a fact of life under UK GDPR. They can be time-consuming and stressful, but with the right process and expert support, you can handle them smoothly and stay compliant.

If you’ve received a DSAR and need help, or if you want to put a robust process in place before the next one arrives, get in touch with Athlex today. We’ll guide you through every step, so you can respond with confidence.