What is a Data Subject Access Request and are you ready to respond to one?

Seventeen years ago, Clive Humby coined the phrase, ‘data is the new oil’, and we all contribute to that data pool. From shopping habits to health records, we leave digital footprints wherever we go. But did you know that your clients, customers and your own staff have the right to access the personal data that your organisation holds about them? This right is known as a Data Subject Access Request, or DSAR for short. If you've ever wondered what information companies have collected about you, how they use it, and why, then a DSAR is your, and your customer’s gateway, to finding out.

What Exactly is a Data Subject Access Request?

A Data Subject Access Request (DSAR) allows individuals to ask an organisation for a copy of the personal data it holds about them. This right, enshrined in the General Data Protection Regulation (GDPR) and UK DPA 2018 (and other privacy regulations worldwide), gives people the power to take control of their personal information.

When someone submits a DSAR, the organisation must provide details about:

What personal data they hold about the individual

How and why they are processing it - legally

Who has access to or has shared this data

How long they intend to store/keep it

In essence, the DSAR is a window into what’s happening behind the scenes with someone’s personal data.

The Scope of a DSAR

The scope of a DSAR is quite broad. It can encompass any personal information that an organisation is holding, whether it’s stored electronically or in physical files. This could include emails, recordings, notes, customer service logs, billing details, and even surveillance footage or WhatsApp chats. Essentially, if it can be linked to someone personally, it may fall within the remit of a DSAR.

However, organisations are not required to include data that doesn’t directly identify a person (e.g., anonymised or aggregated data) or personal data relating to others (without their explicit consent).

Timelines: How Long Have you got to respond to a DSAR?

After submitting a DSAR, organisations have a set period of time to respond—typically one month under GDPR. This is generally enough time to gather information, analyse it, and ensure everything is in line with the requirements for a lawful disclosure. In some more complex cases, organisations may extend this timeframe by up to two additional months, but they must inform the person of the delay and the reasons behind it. So no extending it just because your data protection lead is on holiday.

It’s worth noting that the timeline starts the moment the organisation receives a request, unless it is really unclear about what is being asked for, and then the clock pauses whilst the scope is clarified.

Exclusions: Protecting Other People's Data

Whilst a DSAR entitles someone to access their own personal information, it doesn’t grant them the right to other people’s data. For example, in email threads where personal information about other individuals is present, the organisation may redact or withhold certain portions to protect third-party privacy. Safeguarding other people's rights is crucial in maintaining a balance between transparency and privacy.

Are There Any Exemptions?

Certain types of data may be exempt from a DSAR. These exemptions commonly include:

Legal Privilege: Data related to ongoing legal proceedings or advice may be withheld.

Confidential References: Personal data contained in confidential references for employment or education might be exempt.

Management Forecasts: Internal company management forecasts or planning data can be excluded if it could harm business operations.

Criminal Investigations: If disclosing data could affect the outcome of a criminal investigation, it may be exempt.

Understanding these exemptions can help manage expectations about what data can be disclosed.

Can you charge for a DSAR?

In the main, no. It’s rare, limited to some admin activities and then aligned to levels charged for Freedom of Information requests – basically it’s capped and low.

What If someone is Not Satisfied with the Response?

If someone is unhappy with the response to your DSAR disclosure, or feels that the organisation has mishandled their request, they can raise a complaint – either with your business or to the regulator, the Information Commissioner's Office (ICO).

The ICO has the power to investigate, demand action, and even impose fines if they find that the organisation has failed to comply with data protection law.... but they’d much rather work with businesses to improve their handling of DSARs unless they believe an organisation is being deliberately obstructive.

The Power of DSARs

A DSAR is more than just a tool for curiosity—it’s a powerful instrument that empowers individuals to take control of their personal data. Whether people are concerned about data misuse, curious about what information is held about them, or simply want transparency, the DSAR process gives that opportunity. And in a world increasingly driven by data, knowing how to unlock rights can help protect privacy and hold organisations accountable.

How ready is your business to receive that first DSAR?

Are you ready to respond? Or do you need a service who can do this for you? Talk to The Data Protection Lady who can help prepare you for the day someone says ‘Give me everything you hold about me’ or register for our free webinar on Sept 26th to find out more.

pragmatic advice and guidance to charities and businesses on GDPR, data protection and marketing compliance
contact-us
The Pumphouse, Forstal Road, Aylesford, Kent, ME20 7AU

Effective Date: 04-Aug-2024
Last Updated: 04-Aug-2024

What are cookies?

This Cookie Policy explains what cookies are and how we use them, the types of cookies we use i.e, the information we collect using cookies and how that information is used, and how to manage the cookie settings.

Cookies are small text files that are used to store small pieces of information. They are stored on your device when the website is loaded on your browser. These cookies help us make the website function properly, make it more secure, provide better user experience, and understand how the website performs and to analyze what works and where it needs improvement.

How do we use cookies?

As most of the online services, our website uses first-party and third-party cookies for several purposes. First-party cookies are mostly necessary for the website to function the right way, and they do not collect any of your personally identifiable data.

The third-party cookies used on our website are mainly for understanding how the website performs, how you interact with our website, keeping our services secure, providing advertisements that are relevant to you, and all in all providing you with a better and improved user experience and help speed up your future interactions with our website.

Types of Cookies we use

Manage cookie preferences

You can change your cookie preferences any time by clicking the above button. This will let you revisit the cookie consent banner and change your preferences or withdraw your consent right away.

In addition to this, different browsers provide different methods to block and delete cookies used by websites. You can change the settings of your browser to block/delete the cookies. Listed below are the links to the support documents on how to manage and delete cookies from the major web browsers.

Chrome: https://support.google.com/accounts/answer/32050

Safari: https://support.apple.com/en-in/guide/safari/sfri11471/mac

Firefox: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox?redirectslug=delete-cookies-remove-info-websites-stored&redirectlocale=en-US

Internet Explorer: https://support.microsoft.com/en-us/topic/how-to-delete-cookie-files-in-internet-explorer-bca9446f-d873-78de-77ba-d42645fa52fc

If you are using any other web browser, please visit your browser’s official support documents.