Data Subject Access Requests (DSARs) Services

25 Jul

Table of Contents

One of the fundamental rights of an individual (data subject), under the UK GDPR is to be able to access and receive a copy of their personal information being held by an organisation (data controller).

As such, a data subject access request (DSAR) can be made by a wide range of individuals such as customers, employees (past and present), tenants and even people visiting a website.

DSARs can be made in writing, verbally and by social media.  It is also possible for a third party to request a DSAR on behalf of someone else.

If an electronic request is made, the data controller should provide the information through a commonly used electronic format, unless the data subject requests the information through another medium.

Data controllers also need to be aware that an access request can be made without formally being titled a ‘subject access request’ or similar.

Which Organisations/Data Controllers Need to Comply with DSARs

The simple answer is any organisation which processes personal data (difficult to think of many that don’t) will potentially need to comply with this requirement of the UK GDPR.

Thus, if your organisation has never received a DSAR, don’t get complacent, you may do in the future and you need a process and skilled resources to deal with it.

What are Some of the Challenges of Responding to a DSAR?

1. Timescale

Whilst there is nothing new about DSARs (they were first introduced by the DPA 1998), the UK GDPR included some additional requirements which introduced some challenges for data controllers responding to a DSAR.

One of the more obvious ones is the 1-month timescale in which data controllers must respond to an access request.

An organisation can only request additional time (up to a further 2 months) if procedures are considered to be too complex to meet the 1-month deadline, or if the same data subject has made numerous requests.

Data controllers, however, cannot obtain extensions on the grounds they are relying on data processors to provide the necessary information.

Timescale aside, there are numerous other challenges that data controllers must overcome in responding to a DSAR.

2. Validation

The legislation says that data controllers need to satisfy themselves that a DSAR is valid, and that the requester is in fact the data subject or someone acting on their behalf, like a solicitor or Citizens Advice.


  • So how do you satisfy yourselves?
  • What documentation do you request to confirm their identity?
  • How do you process and store this ID?
  • How long can you keep it for?

3. Vexatious Requests

How do you separate the genuine requests from the vexatious or malicious requests sent to potentially drain your resources?  How can you evidence that a request is malicious?

4. Resources

Do you have enough people to pull together everything you need to facilitate a request?  Do you have access to the systems?  Is your records management in place so you know how to locate documents that need to be disclosed?  Do you have the appropriate software to do professional redaction or are you still using a black felt tip and a photocopier?

5. Knowledge

URM has found this to be the biggest issues faced by organisations.

Do your people have the knowledge and skills to be able to facilitate requests?  Do they really know what personal identifiable data actually is?  A name alone within a document is not necessarily personal data that has to be disclosed in response to a DSAR.  Do you have the software and skills to pull together all the emails that mention a particular person or a particular complaint?

DSAR Redaction Service

It is important that DSARS are handled fairly and independently, especially where the request is internal and may involve HR records.

One of the areas which organisations often struggle with when dealing with a DSAR redaction is understanding what legal exemptions are available and more importantly can be applied.

This, naturally, will dictate when data can or cannot be released, e.g., where legal privilege applies to communications between an organisation and its solicitor.

Questions that organisations find challenging when redacting documents as part of a DSAR include:

  • What if personal data was provided in confidence, such as from a confidential informant, e.g., as part of a grievance and formal complaints process?
  • What if an access request is going to be unduly time consuming or particularly voluminous?
  • How do you determine if a DSAR is vexatious?  What evidence do you need to provide?  Do you actually need to respond to it?
  • What if someone else is requesting information on the data subject’s behalf?  How do you manage third-party requests and manage consent?
  • What if a DSAR concerns a child?
  • What if documents involved in the DSAR contain the names, or other personal information, of other staff or staff from other stakeholders?

Deciding on what elements of a document need to be redacted and where exemptions can be applied is a time-sensitive process and one which requires a skilled interpretation of the UK GDPR.

This is where utilising a third party provider, such as URM, can be useful.

Do you need assistance managing your DSARs?

URM can offer a host of consultancy services to help you managing DSARs, DPIAs ROPAs, privacy notices, data retention schedules and training programmes.
Thumbnail of the Blog Illustration
Data Protection
Published on
Data Subject Access Requests (DSARs) Services

One of the fundamental rights of an individual (data subject), under the UK GDPR is to be able to access and receive a copy of their personal information.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
How to Respond to a Data Subject Access Request (DSAR)

Let’s face it, there is nothing straightforward or simple about responding to a data subject access request (DSAR).

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
Data Subject Access Requests (DSARs) – The Need for Education and Centralised Processes

We discuss the importance of ensuring that your whole organisation can identify a DSAR and the benefits of controlling the entry points of DSARs.

Read more
We used URM as we had a large amount of information to redact for a Court of Protection case and neither had the time nor the knowledge to be able to complete this appropriately. URM were suggested to us and we made contact. They responded very quickly and were able to explain their role, estimated timescales & costings. During the initial consultation, they were very professional and approachable, and certainly had the skills we required. URM’s consultant provided us with details of the work they had completed before & we felt confident to pursue the work with them. We were on a tight deadline for court and URM were confident that they could provide the services we required in a timely manner. The logistics of sending a large amount of confidential documents were easy to navigate and straightforward. We were unable to very accurately gauge how much work was required, however URM’s Team supported us with this and maintained regular contact regarding their progress and addressed any concerns they had. When we needed to contact them, they were prompt with their responses. The work did take longer that envisaged, however that was due to the amount of work that we, as clients, were unable to accurately identify would be required. We did, however, meet the deadline for court. I would certainly use the services of URM again & if possible would work with same team. The services are not cheap, however redacting sensitive information is a skilled task and, therefore, having a professional complete this work is priceless.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.