How to respond to Data Subject Access Requests (DSARs)

How to respond to Data Subject Access Requests (DSARs)?

Linkilaw GDPR

As a business owner, one of your obligations under the GDPR is to manage Data Subject Access Requests (DSARs).

There are a number of challenges that such requests present to organisations, especially if you don’t have the right processes in place, due to individuals being more aware of their rights and more concerned over the privacy practices of companies.

What are DSARs?

The GDPR (General Data Protection Regulation) grants individuals the right to access their personal data from data controllers, meaning they have the right to ask an organisation whether or not they are using or storing their personal information.

This is known as a DSAR (data subject access request).

Subject access requests are not new, but the GDPR introduced some changes that make responding to them more challenging and failure to respond to DSARs can result in administrative fines for your business.

Why are DSARs being more challenging?

When the GDPR came into force, DSARs were updated with new requirements to make it easier for individuals to access information that organisations hold about them.

As a consequence, a huge increase in the number of individuals submitting DSARs has happened since then and it has clearly showed that businesses are not prepared for these requests, failing to respond in the time limit specified.


Firstly, information could be contained within hundreds of different documents that an organisation holds, including emails between the individual and the company, forms they have filled in, comments they have made, applications, transactions and so on.

Secondly, as a business grows the likelihood is that its IT infrastructure and data storage will also grow. The result is that the relevant information could be spread over on-premises servers, servers in the cloud, and employees’ personal devices.

How to respond to a DSAR?

Here are some key areas for managing Data Subject Access Requests:

  • Format of Request: The GDPR does not prescribe any particular method for making a valid DSAR and it can be made to any staff member. Even if you invite individuals to submit a DSAR through a designated online form, you should make it clear that this is not compulsory.
  • Verify the applicant’s identity: Before taking any action, you must verify the identity of the DSAR applicant, as disclosing personal information to the wrong recipient is itself a breach of the GDPR.
  • Scope of request: You’re entitled to ask an individual to clarify their request. However, if an individual refuses to provide any additional information, you still need to comply with the request.
  • Gathering the information: The most time-consuming part of responding to DSARs is locating all the relevant information. It is therefore useful to have a procedure that enables you to check the data you process and where it is stored. A data flow map can help you respond more efficiently.
  • Information to include:

– The purposes of the processing.

– The categories of personal data involved.

– The recipients of the personal data has been or will be disclosed to.

– The length of time the personal data will be retained (or, if this is not possible, the criteria for determining the retention period).

– The data subject’s right to request a rectification or erasement of its personal data.

– The data subject’s right to lodge a complaint with a supervisory authority.

– Where the personal data has not been collected direct from the data subject, any available information about its source.

– The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences for the data subject of such processing.

  • Time limit to respond: the one month time limit to respond to a DSAR runs from the date that you receive proof of identity or more information clarifying the request.
  • “Manifestly unfounded or excessive” requests: you can refuse a DSAR if it is “manifestly unfounded or excessive”. However, the GDPR does not provide any guidance on the meaning of these words so you would need to justify this.

Check the ICO’s recommendations for more detailed information about DSARs.

If you want to make sure you’re GDPR compliant or need legal support for your business, book a call with our legal team and we’ll answer all questions you may have.