Data Subject Access Requests: What are they and how could they impact your business?

A Data Subject Access Request (DSAR) allows individuals to ask an organisation for access to the personal data held about them. Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, businesses must respond to these requests within strict timeframes and provide clear information about how personal data is processed.

The definition of “Personal Data” in UK GDPR is as follows:

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Therefore, organisations must provide not only information that they hold that specifically references the individual, but also anything that identifies them. Largely, this is a straightforward exercise, but in certain circumstances, the decision may be less clear and careful consideration is required.

Time limits and legal obligations

There is a strict time limit imposed for responding to a Data Subject Access Request. Generally, an organisation must respond within one calendar month of receiving a DSAR. In more complex or time-consuming cases, this deadline can be extended by a further two months, but if an extension is sought, the organisation must inform the individual and explain why the extension is necessary.

The one-month timeline can be paused if the organisation needs to verify the identity of the individual making the Data Subject Access Request or if it seeks clarification of the DSAR. The timeline will resume when either the verification or the information has been provided.

Organisations cannot generally charge a fee for their administrative costs in responding to a Data Subject Access Request, unless the request is ‘manifestly unfounded or excessive’. Even then, strict justification is required in order to charge.

How to respond to a Data Subject Access Request

When responding to a DSAR, an organisation should provide copies of the information requested, as well as the following information:

• what they are using the information for;
• who they are sharing the information with;
• how long they will store the information for and why;
• details on how the individual can ask if the information is correct, ask to have it amended or deleted, object to or restrict their use of it;
• details on the right to complain to the ICO;
• details about where they got the information from;
• whether they use the information for profiling or automated decision-making and how they are doing this; and
• what security measures they use if they have or will transfer the information to a country outside the UK or an international organisation.

Organisations can send partial or incomplete documents when responding to a DSAR. The individual is only entitled to their personal information contained in the documents. This means that organisations can (and should) redact any information that contains personal data of other individuals.

In a Data Subject Access Request, the individual should state how they would like to receive the information e.g. electronically or in the post. The organisation should send it in that format where possible.

Refusing partially or fully to comply with a DSAR

There may be circumstances in which an organisation does not have to provide an individual with all or any of the information requested in a DSAR.

An organisation may refuse either partially or fully to provide all of the personal information requested because of a legal exemption. Examples of some common exemptions are as follows:

• ‘Manifestly unfounded’ requests i.e. the organisation believes the individual is not making a DSAR because they truly want to exercise their legal right of access, but instead to harass an organisation or cause disruption
• ‘Excessive’ requests i.e. the individual has repeatedly made the same request, and it has either overlapped with, or not enough time has passed since, the last request
• Information about other people i.e. if another person’s information is included in the requested documents, the organisation might redact it or not provide it at all
• Legal professional privilege, i.e. the individual’s personal information, is discussed or included in confidential communications between the organisation and their legal advisors.

To decide whether an organisation can rely on any of the above exemptions, the organisation must consider each request on a case-by-case basis and explain its reasoning to the individual.

Consequences of failing to comply with a Data Subject Access Request

Failure to comply, either at all or partially, with DSAR obligations can carry serious consequences.

Regulators such as the Information Commissioner’s Office (ICO) have the authority to investigate complaints and impose enforcement action. Organisations that fail to respond within the statutory one-month deadline, provide incomplete information, or mishandle personal data risk regulatory scrutiny, reputational damage, and potentially significant financial penalties. In addition, individuals may pursue legal claims if they believe their data protection rights have been breached.

Main challenges for businesses

DSARs are designed to promote transparency and accountability. However, for many businesses, DSARs can present a significant operational challenge.  Although some larger organisations may have dedicated compliance teams, smaller businesses often have limited administrative and legal resources.

Responding properly to a DSAR requires identifying all relevant personal data across emails, internal systems, HR files, customer databases, and archived records. This process can be time-consuming and may involve reviewing large volumes of information to ensure that confidential or third-party data is not disclosed inappropriately. Even a single request can require substantial staff time and careful coordination.

When to seek legal advice

Due to the potential risks of getting it wrong, if an organisation has received a DSAR, seeking legal advice at the outset could be key. This is particularly important where:

• The DSAR involves large volumes of data
• The DSAR is complex or unclear
• There is uncertainty as to whether any of the exemptions apply

We can assist in determining the scope of the request, identifying lawful exemptions and ensuring third-party data is handled correctly. This support can help reduce the risk of regulatory action while ensuring the organisation meets its legal obligations.