top of page
Hi Res - Transparent White Text_edited.png

DSARs (Data Subject Access Requests)

  • Writer: Amicus People
    Amicus People
  • Apr 30
  • 3 min read

Updated: May 4

A DSAR is a Data Subject Access Request, a legal right under the UK GDPR and Data Protection Act 2018 that allows an individual to ask an organisation for details of the personal data it holds about them. When an employee submits a DSAR, the employer’s obligations are immediate, strict, and time‑bound, and getting the process wrong carries significant legal and financial risk.


What a DSAR is

A DSAR can be one of the single biggest drains of your organisations time and resources and are usually submitted by an employee, ex‑employee, or job applicant requesting information that can include, but is not limited to emails, messages, notes, HR files, performance records, CCTV, system logs, and any other information that identifies them personally. 


Regrettably, DSAR’s are more often than not submitted by employees following notification that the employee is subject to a performance improvement plan, investigation/disciplinary, redundancy process or dismissal and intended to cause maximum disruption to your business.  Of course this isn’t always the case, but you need to ensure that you manage the request in line with current legislation and within defined timeframes irrespective of the reason for the DSAR.   


It is important to note that a DSAR request does not need to mention the word term ‘DSAR’ to be considered a valid request, and it is important to note that any request for personal data triggers the legal duty to respond.


Legal responsibilities once a DSAR is received:


Employers must:

  1. Acknowledge and validate the request and confirm the identity of the requester, if needed, before supplying any personal data in order not to breach data protection rights.  

  2. Locate, review, and extract all personal data relating to the individual across all systems, platforms, and devices.

  3. Redact third‑party information where appropriate to protect others’ privacy or commercially sensitive information.

  4. Assess exemptions (e.g., legally privileged documents, management forecasting, or data that would prejudice negotiations).

  5. Provide the information in a clear, accessible format along with an explanation of how the data is used, stored, and shared.

  6. Keep a full audit trail of decisions, searches, redactions, and communications.


IMPORTANT: Employers do not need to include data where the employee raising the Data Subject Access Request (DSAR) was merely copied in on an email but was not the subject or direct recipient of the email. The DSAR obligation applies to personal data concerning the individual making the request, not incidental copies where they are not the focus. 


Legal timeframes

What the Information Commissioners Office (ICO) requires:

•  You must begin processing the DSAR as soon as you receive it.

• You must provide the full response within one calendar month of receipt, or within one month of receiving any ID clarification you have reasonably requested.

• Acknowledging the request promptly is considered good practice because it demonstrates that you are acting without undue delay, which the ICO explicitly expects.


You will need to identify all relevant personal data (this can take a considerable amount of time and will likely require the support of your IT & HR teams to support the identification of communications/emails/texts etc), redacting sensitive or third-party information, responding within statutory timeframes, and maintaining detailed audit trails to demonstrate compliance with UK GDPR.


How Amicus People can help: 

Organisations receiving DSAR requests aren’t always familiar with their responsibilities as the employer and regularly supply more than the required data, using up valuable time and resources.


 The ICO now emphasises that employers are required to conduct ‘reasonable and proportionate searches’, not exhaustive ones which precludes:

 •        duplicates of information already supplied;

•        data that is not personal data;

•        emails where the individual is only copied but not the subject;

•        legally privileged documents; or

•        third‑party data that cannot be disclosed without consent or lawful justification.


Amicus People can help you confidently comply with DSAR’s, manage immediate responses, identity checks, redactions & reporting, apply ‘stop the clocks’ to the process where appropriate, and ensure that a GDPR compliant process is followed. Our expertise reduces risk and streamlines your data management, saving you a great deal of time, resources and money so that you can focus on your business.




 
 
 

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page