Managing DSARs and Other Data Subject Rights

DSARs can place a substantial burden on organisations.  Responding to a DSAR can consume significant resources, both in terms of time and financial costs.  It is common for thousands of records to be in scope of a request, particularly when handling DSARs from current or former employees.  While the GDPR does provide an exemption for ‘excessive’ requests, holding a large volume of data on an individual does not necessarily make a request excessive, and you may still need to comply.  As such, many organisations are left having to sift through countless documents, identifying the personal data within those documents that the data subject is entitled to, and removing any data they are not allowed to receive - all within the statutory time limit.

However, when approached and handled correctly, DSARs can provide valuable opportunities for learning and improvements.

Why have you received this request?

Considering why requests have been made can reveal patterns and provide insight into customer experience, service issues, communication gaps, or reasons trust may have broken down.  For example, if your organisation receives a sudden influx of DSARs in a short time window, it is worth examining what has recently occurred within the business to trigger this spike.  Such analysis can help you pinpoint the underlying issue and take steps to address it.  Not every DSAR will be preventable, but you may find that some requests could have been avoided had your organisation communicated more clearly or resolved an issue more promptly.  These insights can be used to guide improvements and encourage positive change.  

Data management improvement

DSAR learning can also be used to improve retention policies, data mapping, and ownership of processes.  If gathering information for a DSAR reveals high volumes of data spread across multiple locations, with no clear mapping of what data exists, where it is, and who owns it, this indicates that comprehensive data-mapping work is required.  

Likewise, if a request reveals you still hold personal data that was originally collected well in the past and is no longer required, there is likely a need to revisit and update your retention schedules to accurately reflect what data is genuinely necessary.  The General Data Protection Regulation (GDPR) does not provide clear-cut definitions of how long personal data should be held for, but it should not be retained ‘just in case’ it’s needed at some point in the future.  Instead, consider whether you have a truly legitimate business purpose for keeping that data.

Appropriate timescales will vary between organisations and, depending on your organisation’s context, there may be other pieces of legislation you need to comply with that dictate how long particular records need to be kept for.  For example, organisations with employees who have worked with asbestos must retain relevant HR records for 40 years for insurance and health and safety purposes, far longer than a typical post-employment retention period of six years.  However, while retention requirements differ between organisations, DSARs consistently highlight where data is being kept for longer than necessary.

The right of access is an important and fundamental right that underpins transparency, and individual control over personal data.  However, as highlighted earlier, it is also not uncommon for DSARs to be used by data subjects as a means of applying pressure on organisations with which they have a grievance.  This can place organisations in a difficult position; for businesses of any size, a deliberate, coordinated attempt by one or more individuals to create strain through DSARs can prove devastating.

Under the UK GDPR, you are allowed to refuse to comply with what it terms a ‘manifestly unfounded’ request.  According to the Information Commissioner’s Office’s (ICO’s) guidance, a request is manifestly unfounded if the individual clearly has no intention to exercise their right or has made the request with malicious intent, such as to harass an organisation and cause disruption.  

In practice, though, it is incredibly challenging to prove that a DSAR is unfounded and rely on this exemption to refuse a request.  The legislation intentionally includes the word ‘manifestly’ to stipulate that it must be obvious or clear that the request is unfounded.  You need to provide evidence to demonstrate this; simply suspecting that a request has been made with malicious intent is not sufficient.

One example of sufficient evidence that a request is manifestly unfounded would be the data subject offering to withdraw the request if your organisation meets a particular, unrelated demand, such as making a payment.  In this scenario, you would be fully justified in pushing back against the request.  However, it is important to note that a history of submitting a manifestly unfounded request does not entitle you to assume that any future requests from that individual are also unfounded.

The right of access is generally the most widely discussed of the data subject rights, but requests made under the other rights can also create significant challenges for organisations if they are not well understood or effectively managed.  In addition to access, data subjects have the right to request:

• Rectification of their personal data, i.e., the correction of inaccurate or incomplete information
• Erasure of their personal data
• Restriction of the processing of their personal data, limiting how their information can be used by an organisation
• Data portability, allowing individuals to obtain and reuse their personal data for different purposes across different services
• Not to be subject to automated decision-making producing legal or similarly significant effects.

As access is the only given right, requests made under other rights can be refused if there is a valid business reason to do so, although you will need to be able to justify this decision.  For example, if a former employee requests deletion of their HR records a year after leaving the organisation, but your retention schedule requires those records to be kept for six years, this would constitute a valid basis for refusing the request and retaining the information.

While DSARs must be responded to within one calendar month, requests made under the other data subject rights follow a slightly different rule.  The UK GDPR requires all rights requests, including those for rectification, erasure, restriction, portability and objection, to be handled within one month, but for requests other than DSARs the emphasis is on responding without undue delay.  This means that even though controllers have up to one month to provide a response, they are expected to act as quickly as is reasonably possible in the circumstances.  Straightforward matters, such as rectifying a data subject’s name, should be completed well before the one month deadline and can typically be resolved within a few days.  As such, it’s important to maintain rigour in your processes for responding to all types of rights requests to avoid preventable complaints or regulatory scrutiny.

Establishing effective rights requests processes

One way of maintaining this rigour is to use one, unified workflow for all rights requests.  Following the same process for requests made under all data subject rights increases consistency in your handling of responses while reducing the training burden on staff, thus minimising the risk of errors, streamlining operations, and supporting timely, accurate fulfilment of all requests.

The first step in establishing an effective rights request process is ensuring that such requests are consistently recognised when they arise.  Rights requests can be submitted through any channel, whether by email, social media, a phone call to customer support, or even in person at reception.  They also do not need to include specific terminology or reference to any legislation.  As such, all frontline teams must be equipped to recognise rights requests so that none are overlooked.  A practical way to support this is to provide teams with simple, accessible definitions of each right, enabling them to recognise requests even when they are made informally or in plain language.  

Customer facing teams should then forward these requests to the appropriate individuals within your organisation who are responsible for managing them through to completion.  Using a single intake route (e.g., a dedicated email inbox) to which staff can forward all requests will help avoid any being missed or delayed.  Your data lead can then complete the rest of the process – logging the request, verifying the data subject’s identity if necessary, gathering the relevant data, managing time frames, etc.

Ultimately, the way organisations approach data subject rights will determine whether these obligations remain a recurring source of pressure or evolve into a catalyst for maturity and positive change.  By treating each request as a potential opportunity to refine internal processes and strengthen governance, organisations can shift from a reactive compliance mindset to a more confident, proactive stance.  The organisations that thrive under the GDPR are those that treat data subject rights not purely as a burden to be overcome, but as an opportunity to improve processes, strengthen communication, enhance data stewardship, and build healthier relationships with the people whose data they hold.