Data Subject Access Requests (DSARs): Response Rules & Deadlines

Receiving a Data Subject Access Request (DSAR) often raises immediate questions: Do we have to respond? How much information is required, and by when? Understanding the basics of DSAR obligations helps organisations respond appropriately without over-sharing or missing statutory requirements. 

This overview explains when a response is required and how to evaluate requests in practice.

What is a Data Subject Access Request (DSAR)?

A data subject access request (DSAR) is a formal mechanism through which individuals exercise their right to access the personal data an organisation holds about them. This right exists under the UK GDPR, EU GDPR, and the Data Protection Act 2018.

DSARs matter because they give people control over their personal information. When someone requests access to their data, they’re verifying that your data processing activities are lawful and transparent.

Key points about DSARs:

• They allow any data subject to obtain a copy of their personal data
• They confirm whether an organisation is processing their information
• They provide transparency about how and why data is used
• They form one of the fundamental data subject rights under privacy legislation

The right to submit such requests exists across multiple privacy frameworks, including the California Consumer Privacy Act in the United States.

Who Can Submit a DSAR?

Any person whose personal data you process can submit a data subject access request. This includes:

• Employees (current and former) requesting HR records
• Customers want records of their transactions and communications
• Suppliers and contractors whose contact details you hold
• Website visitors whose data you collect through cookies or forms
• Job applicants whose CVs and interview notes you retain

Third parties may also submit requests on behalf of a data subject. A parent might request their child’s data, or a solicitor might act for a client. In these cases, you need proper authorisation and supporting evidence that the third party has the authority to act.

Verification requirements apply here: you must confirm the subject’s identity and the representative’s authority before disclosing information.

How Can DSARs Be Submitted?

DSARs can arrive through any communication channel. There’s no required form or format.

Valid submission methods include:

• Email to any company address
• Phone calls to customer service
• Posted letter
• Online contact forms
• Social media messages
• In-person verbal requests

A request doesn’t need to mention “GDPR,” “DSAR,” or “data protection” specifically. Someone asking, “Can you tell me what information you have about me?” is making a valid request.

Real examples of how DSARs might be phrased:

• “I’d like a copy of all my data, please”
• “What personal information do you hold on me?”
• “Can you send me my customer file?”
• “I want to see what you’ve recorded about me”

Staff training becomes important here. Any employee who receives such requests, whether in customer service, HR, or reception, must identify them and route them to your data protection officer or compliance team.

What Information Must You Provide in DSAR Responses?

Your DSAR response must include:

• Confirmation that you process the person’s personal data
• A copy of the personal data in an accessible format
• The purposes of your data processing
• Categories of personal data concerned
• Recipients or categories of recipients you’ve shared data with
• Retention periods or criteria used to determine them
• Information about data subject rights (rectification, erasure, restriction, objection)
• The right to lodge complaints with the Information Commissioner’s Office
• Source of the data, if not collected directly from the individual
• Details of any automated decision-making, including profiling

GDPR Requirements

Article 15 of the UK GDPR sets out specific requirements for DSAR responses:

You must explain the existence of automated decision-making, including profiling, and provide meaningful information about the logic involved. If decisions significantly affect the individual, this becomes particularly important.

When personal data wasn’t collected directly from the data subject, you must explain the processing source and where the data came from.

The requested information should be provided in a commonly used electronic format if the request was made electronically.

DSAR Response Deadlines

The standard deadline under the UK GDPR is 1 month from receipt of the request.

• UK GDPR/EU GDPR: One calendar month
• California Consumer Privacy Act: 45 days

The month starts from the day after you receive the request, regardless of when you begin processing it.

Extensions are possible for complex or numerous requests. You may extend by two additional months. If extending, you must:

• Notify the data subject within the original one-month period
• Explain why the extension is necessary

Missing deadlines creates compliance risks. The Information Commissioner’s Office can investigate complaints and issue enforcement notices or fines for systematic failures in handling DSARs.

Identity Verification Requirements

Before sharing personal data, you must verify the subject’s identity using reasonable measures.

Appropriate verification methods include:

• Requesting a response from the email address on file
• Asking security questions based on account information
• Requesting a copy of photo ID (passport, driving licence)
• Requesting proof of address (utility bill, bank statement)
• Cross-referencing the birth certificate or other identity documents

Your verification should match the sensitivity of the data. Routine customer data might require only email confirmation. HR records containing sensitive personal data may require photo ID verification.

Avoid excessive verification that creates barriers. ICO guidance is clear: don’t use identity checks to delay or discourage legitimate requests. For third-party submissions, verify both the data subject’s identity and the representative’s authority to act. A signed authorisation letter typically suffices.

When Can You Refuse a DSAR?

You may refuse a request that is manifestly unfounded or manifestly excessive.

Manifestly unfounded applies when:

• The person making the request has no real intention of accessing their data
• The request is made with malicious intent (to disrupt operations)
• The person has explicitly stated they want to cause problems
• The request is considered manifestly unfounded based on clear bad faith

Manifestly excessive applies when:

• Requests repeat at unreasonable intervals
• The volume of data requested is disproportionate
• Multiple requests overlap substantially in scope

The burden of proof sits with you. Document your reasoning thoroughly. You cannot refuse a request simply because it is inconvenient or resource-intensive.

When refusing, you must:

• Inform the data subject of your decision and reasons
• Explain their right to complain to the Information Commissioner’s Office
• Explain their right to seek a judicial remedy

DSAR Fees and Charges

DSARs must be free of charge as a general rule.

You may charge a reasonable fee in limited circumstances:

• When requests are manifestly excessive (particularly repetitive)
• For additional copies beyond the first response
• When providing data in a specific format that incurs administrative costs

Any fee must reflect actual administrative costs, not act as a deterrent. You must be transparent about charges and justify them if challenged.

Best practice: treat the first request as free and charge only for genuinely repetitive or excessive subsequent requests.

Step-by-Step DSAR Response Process

Follow this DSAR response process to stay compliant:

• Acknowledge receipt: Confirm you’ve received the request within a few days
• Log the request: Document the date received, requester’s details, and scope
• Verify identity: Confirm the subject’s identity using proportionate methods
• Clarify scope if needed: Ask for specific dates or information categories if the request is broad
• Collect data: Search all systems where personal data may exist
• Review and redact: Remove third-party information and check exemptions
• Prepare response: Compile the requested information with supplementary information about processing
• Deliver securely: Send via encrypted email, secure portal, or recorded post

Maintain documentation throughout the entire process: record decisions, timelines, and communications in case of future complaints.

Data Collection and Review

Finding all the information requires systematic searching across:

• Customer databases and CRM systems
• Email archives and correspondence
• HR records and personnel files
• CCTV footage and security logs
• Backup systems and archived data
• Third-party processors and cloud services

Redaction is required when disclosure would reveal personal data about other individuals. You cannot share information that would identify third parties without their consent, unless it’s reasonable to disclose without consent.

Verify data accuracy before responding. Correct any errors you identify during the search process.

Common DSAR Compliance Challenges

Most organisations face several pressing issues when fulfilling DSARs:

Data spread across systems 

Personal data exists in emails, databases, spreadsheets, cloud services, and paper files. Locating all the information takes significant effort without proper data mapping.

Lack of data inventories 

Without knowing what data you hold and where, responding accurately becomes guesswork. Many DSARs fail because organisations can’t locate all relevant personal information.

Volume management 

Handling many DSARs simultaneously strains resources. Each request requires individual attention, verification, and review on a case-by-case basis.

Third-party coordination 

When third-party processors hold data on your behalf, you must coordinate responses across multiple parties. Contractual arrangements should address DSAR support requirements.

Exemption complexity 

Determining when an exemption applies (confidential references, legal privilege, third-party data) requires careful analysis. Getting it wrong risks non-compliance or inappropriate disclosure.

DSAR Automation and Management Solutions

Technology can streamline the entire process:

• Automated workflow systems route requests to appropriate handlers, track deadlines, and send reminders. They reduce the risk of missed responses and maintain audit trails.

• Data discovery tools scan systems to identify where personal data resides. They accelerate the search phase and improve the completeness of responses.

• Integration capabilities connect DSAR management with existing business systems, CRM, HR, and email archives, enabling faster data collection.

• Documentation features automatically log actions, decisions, and communications. This provides the supporting evidence needed if the Information Commissioner’s Office investigates.

Automation doesn’t replace human judgment. Complex requests, exemption decisions, and redaction still require qualified review.

Conclusion

Handling DSARs becomes far easier when organisations understand their obligations and follow a consistent process. Clear verification steps, structured searches, careful redaction, and documented decisions help ensure responses are accurate and compliant. 

With the right preparation and internal awareness, DSARs can be managed efficiently and with confidence, rather than becoming a source of operational pressure.

Frequently Asked Questions

Do all requests for personal data count as a DSAR?

Yes. A request does not need to mention “DSAR,” “GDPR,” or use any formal wording. Any request asking what personal data you hold about them, whether by email, phone, social media, or verbally, can qualify as a valid DSAR and must be assessed accordingly.

FAQ 2: Can we ask someone to narrow the scope of their DSAR?

You can ask for clarification if a request is very broad, but you cannot require the individual to narrow it as a condition of responding. The one-month deadline still applies, even while you’re seeking clarification, unless the request genuinely cannot be processed without further detail.

FAQ 3: What happens if we miss the DSAR deadline?

Missing the statutory deadline exposes your organisation to regulatory complaints and enforcement action. Individuals can escalate concerns to the Information Commissioner’s Office, which may investigate, issue corrective orders, or impose fines for repeated or systemic failures.

Note: This content was created with AI assistance.