Data Subject Access Requests (DSARs) – 5 Essential Steps

Data SubjectAn individual who can be identified or is identifiable from data. Access Requests (DSARs) pose many challenges for organisations. Often, the sheer volume of requests is too much for internal resources to handle. Or the intricacies of a complex DSAR involve complications beyond a straightforward retrieval of personal dataInformation which relates to an identified or identifiable natural person.. In this blog, we suggest the 5 essential steps for processing DSARs. We detail some of the issues you should watch out for, especially at the beginning of the processA series of actions or steps taken in order to achieve a particular end., and how to identify any exemptions.

Edited and updated on 15 March 2024

Essential steps for processing Data Subject Access Requests (DSARs)

The key to handling DSARs successfully is having a robust and efficient process. Responding to DSARs can be broken down into the following 5-steps: 

• Recognise and record 
• Acknowledge receipt 
• Collate the data 
• Review and redact 
• Share response

Read on to understand these steps in a little more detail.

1. Recognising and receiving DSARs

What is a Data Subject Access RequestA verbal or written request made by a data subject to access their data (in a portable format if requested), be informed about how it is used, to have their data modified if it is incorrect, or to have it deleted.?

A Data Subject Access Request (DSAR) is an inquiry from an individual (known as a data subject) to an organisation (known as a data controllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data.), asking what personal information is held about them. 

There is no specific format required to initiate a DSAR and requests can include: 

• Letters 
• Emails 
• Online chat facilities 
• Social media posts 
• Verbal requests 

All are equally valid. 

A DSAR doesn’t need to specifically reference the UK’s Data Protection Act (DPA) 2018 or the UK General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU.). 

You cannot and should not ask someone why they are making the request, as you have no lawful reason to ask this question. 

The important thing is to ensure your staff recognise a DSAR and understand what needs to be completed for an effective response.

How long have you got to respond? 

You have one calendar month to respond to a DSAR, unless there are multiple requests, or the request is considered complex. 

What to do when you receive a DSAR 

We recommend having an allocated person or department to receive DSARs to save them from being lost and to ensure efficiency. 

If you need advice, you can contact your Data Protection Officer (DPO) or the UK’s Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).). 

Record all DSARs in a DSAR log. The log should include details of the request, the action taken, and the time taken to respond.

2. Acknowledge receipt and explain how you will review and respond to the request

Many DSARs are straightforward to deal with, but some can be used to make vexatious requests or to extract data that the requestor is not entitled to. 

Before expending considerable time and effort collecting records, remember to always: 

Verify the requestor’s identity

Make sure the requestor is who they say they are, particularly if the request is not made in person. Providing personal information to somebody else is a data breach and can compound problems. If in doubt, check the requestor’s identity: 

• Ask to see photo ID, such as a passport or driving license 
• And also, a utility bill 
• Or in some cases, request a face-to-face meeting

Make sure the requestor has the right to the information

DSARs are typically requested by an individual whose personal information is held. However, someone else can request an individual’s personal data on their behalf. Examples include those with parental responsibility, someone in possession of consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. from the individual or with power of attorney, and from appropriately sanctioned law enforcement agencies. 

You must always make sure the requestor has the legal right to receive somebody else’s personal information.

Examples of inappropriate requests we’ve seen include:

• In schools, estranged parents or step-parents who aren’t legal guardians, asking for a pupil’s personal information.

• Disgruntled customers asking for information about the specifics of other customers or employees

• Potential employers asking a previous employer for a personal reference without the consent or agreement of the individual

In such cases the correct response is to say that, without the specific authority of the individual, no information can be provided.

Requests from the police for personal data in the pursuit of their enquiries are another common type of DSAR. In these cases, we suggest accepting the request, providing the Police have confirmed its basis in writing. You should also confirm the police officer making the request works at the relevant police station by calling its switchboard. 

Identify any exemptions

DSARs relate only to the personal information processed on the individual making the request. They are not a vehicle to uncover additional information about an organisation, to find out about others, or to extract otherwise privileged information. For example, in schools, a parent can legitimately use a DSAR to ask for information about how their child is performing or why the school made certain decisions. A DSAR can’t be used to request information about other pupils, or to identify any other child involved in an altercation or disciplinary process.  

There may be conflicting requirements that mean you should not release some personal data. For example, when it is not in the individual’s best interest to release sensitive safeguarding information. 

In the case of such conflicting requirements, you should undertake a “balancing assessment” to identify the extent of personal information that you should collate and shared with the requestor. 

To limit your work in collecting and preparing the information, it is always best to verify (as described above) the requestor’s identity, confirm their right to the information and identify any exceptions from the outset. You can then acknowledge and reply to the requestor upfront, explaining what information you are and are not permitted to provide. 

If there are any doubts, an experienced Data Protection Officer (DPO) can provide advice and guidance. Experienced DPOs will understand your organisation and how to apply the legislation in a practical way, which can save considerable time and resources. 

3. Collate and review records

Once you’ve acknowledged the DSAR and identified the required information, you then need to collate it and review. 

The GDPR requires you to respond to DSARs within one calendar month of verifying the requestor’s identity. This can be an arduous task, especially given that records can be in both paper and electronic format. Also, don’t forget information held by third-party data processorsThird parties processing personal data on behalf of a data controller. in your data processing chain. 

One particularly difficult request received by one of our clients was from an individual making a legitimate DSAR request to provide transcripts of over 100 telephone calls and recorded messages. This took considerable time and effort to collate and review the data. 

In all cases, the invaluable systems are those that store data centrally, are searchable and enable easy access and recall. Holding information in multiple physical locations, or as paper records, can greatly increase the amount of work required. 

Complex DSAR requests can be extended to three calendar months, provided you advise the requestor of the reasons for extending the time scale prior to the expiry of the initial month. 

4. Review the response and implement any redactions

Before sharing any information with the requestor, you must review the response and ensure the information is complete and comprehensive. 

Then check for any personal data that could potentially identify another individual. This will need redacting. 

Redacting is a process that involves carefully obscuring or removing any other personal data within the documents or records that could identify another individual. For paper records you can obfuscate using a black redacting pen. 

We recommend nominating a specific person or department for redacting information as this is a specialist task. 

It’s generally a good idea for the review to be conducted by a different person than the person compiling the information. A DPO is often given this responsibility.

5. Share the response with the requestor

The last step is simply to share the response with the requestor and ensure that you reference the original request in your response. 

Always keep an exact copy of the information sent and keep a record of your response in your DSAR log.

Summary

The number of DSARs continues to increase as individuals better understand and exercise their rights under data protection laws. 

Handling DSARs efficiently is crucial for compliance and to uphold data subject’s rights. 

The first step of a robust process is to understand what a DSAR is and know what needs to be completed. 

Organisations often don’t have the internal resources to manage the DSAR process. This is where an experienced Data Protection Officer can help. They have the knowledge and skills to ensure DSARs are responded to efficiently, effectively and lawfullyIn data protection terms, 'lawfully' must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations..

Other blogs and information you might find helpful:

• FOI vs DSAR: What’s the difference?
• DSAR exemptions: When can information be withheld?
• Information Commissioner’s Office updated SARs guidance for employers, May 2023

Do you need help with your DSARs? 

The DPO Centre has one of the largest teams of DPOs available. Our DSAR services provide the necessary advice, guidance and model documentation required to ensure timely, appropriate and lawful responses to DSARs.

For further information on how we can assist your organisation, please contact us.