Handling Data Subject Access Requests (DSARs): A Comprehensive Guide for SMEs

Managing personal data responsibly is a legal requirement. Under the UK GDPR, anyone can request a copy of the personal data you hold about them and details of how you use it. This is called a data subject access request (DSAR). For SMEs, responding within the one-month deadline may feel challenging, but it is achievable. This guide explains your DSAR obligations, how to verify identity and gather data, and why prompt, compliant responses build trust.
REASON: The revised introduction introduces keywords like one-month deadline, DSAR obligations and verify identity. It provides clearer context and encourages readers by outlining benefits.

What Is a DSAR?

A DSAR is a request made by a person to obtain a copy of their personal data held by an organisation. It may also ask for details on how the data is processed, who it is shared with, the source of the data and how long it will be retained. Under the UK GDPR, organisations typically have one month to respond. In certain situations, you can extend this by two months, but you must inform the requester within the initial month and explain why. Failing to meet the deadline can lead to complaints and potential regulatory action, so timely responses are essential.

Who Can Make a DSAR?

Anyone can make a DSAR – customers, employees, suppliers or any individual whose data you process. The request doesn’t need to mention “DSAR” or cite the GDPR; it can be informal, verbal or written. Even a message on social media can count. Your responsibility is to recognise the request and handle it appropriately. Businesses should train staff to identify DSARs and direct them to the right person or team.

How to Respond to a DSAR

1. Verify Identity

Before disclosing personal data, verify the requester’s identity to prevent data breaches. If you’re not sure the person is who they say they are, ask for additional information such as a copy of an ID or details only the individual would know. Make sure your verification process is reasonable and proportionate; you shouldn’t request excessive or irrelevant documents.

2. Acknowledge Receipt

Send a prompt acknowledgement confirming you’ve received the request. Outline what you will do next, mention the one-month deadline and ask any clarifying questions if the request is vague. This sets expectations and demonstrates professionalism.

3. Gather Information

Identify all systems, databases and physical files where the requester’s personal data may be stored. This includes emails, customer relationship management (CRM) systems, cloud storage, paper records and any third-party processors you use. You must inform processors of the DSAR and ensure they supply relevant data.

4. Filter Data

Review the collected data and remove any information that is not personal data about the requester or that falls under exemptions. For example, data that identifies another individual may need to be redacted, or you may withhold information that’s legally privileged. Consult the UK GDPR and relevant guidance to determine what can be excluded.

5. Compile a Response

Prepare the data in an accessible format. Explain why you hold the data, the lawful basis for processing, how long you will retain it and who else it has been shared with. If the requester asked specific questions, address them. Provide the data securely—use encrypted email or secure download links – and clearly state how they can contact you for follow-up questions.

6. Keep Records

Document each DSAR you receive, including the date, actions taken, communications and final response. Good record-keeping helps demonstrate compliance if the Information Commissioner’s Office (ICO) investigates.

Why Efficient DSAR Handling Matters

Properly managing DSARs is not just about legal compliance; it’s a chance to build trust. Responding promptly and clearly shows that you respect individual rights. It also helps you maintain accurate records, which can improve overall data governance. Moreover, DSARs can highlight gaps in your data protection processes, prompting improvements. Finally, efficient DSAR handling minimises the risk of fines and reputational damage from mishandled requests.

Tips for Streamlining DSAR Processes

• Train Staff: Make sure employees understand what a DSAR is and whom to contact if they receive one.
• Develop a Standard Procedure: Create a step-by-step guide for handling requests, including templates for acknowledgements and responses.
• Use Data Mapping: Maintain an up-to-date record of where personal data is stored to save time when collecting information.
• Automate Where Possible: Consider using data discovery tools or DSAR management software to help identify and compile data.
• Plan for Complex Requests: Some requests may be broad or require input from multiple departments. Having a plan in place reduces delays.

Common Mistakes to Avoid

• Missing the Deadline: Start the process as soon as you receive a request. Even if you don’t have all the data yet, communicate progress and explain any delays.
• Overlooking Data Held by Third Parties: Remember that data processors are part of your supply chain. You remain responsible for data held on your behalf.
• Sharing More Data Than Necessary: Only provide data relating to the individual. Avoid disclosing information about other people or proprietary business information.
• Charging a Fee: DSARs are usually free. You can only charge a reasonable fee in certain circumstances, such as repeated requests or excessive volumes of data.
• Ignoring Informal Requests: A DSAR doesn’t have to mention the GDPR. Recognise any request for personal data as potentially valid and treat it accordingly.

How Athlex Can Help

Handling DSARs can be time-consuming and complex, especially for SMEs with limited resources. Athlex provides tailored support to ensure your DSAR responses are compliant and efficient. Our consultants can help you set up a procedure, train staff, and even manage requests on your behalf. From verifying identity to drafting clear responses, we offer the peace of mind that comes with expert guidance. Working with our outsourced Data Protection Officers (DPOs) means you can focus on your core business, knowing that data subject rights are respected.

Conclusion

A well-handled DSAR is a sign of a mature data protection practice. By following a clear process verifying identity, gathering and filtering data, and responding within the legal timeframe you can comply with your obligations and build trust with your customers and employees. Investing in good DSAR management now will pay dividends in the long run, reducing risk and strengthening your organisation’s data governance.

Read our blog http://athlex.co.uk/when-enforcement-isnt-enough-what-bristols-transparency-failures-teach-us-about-foi-dsars-and-accountability/ to find out what might happen if you get DSARs wrong.