White Paper: Handling Data Subject Access Requests (DSARs)


The implementation of the General Data Protection Regulation (‘GDPR’) and the Data Protection Act 2018 has seen a significant number of individuals (‘Data Subjects’) invoking their rights provided to them by these laws.

These include the right of access (known as ‘Data Subject Access Requests’ or DSARs), the right to be informed, the right to erasure, deletion, object etc. For many organisations, it is DSARs that are the most common of these rights to be exercised and sometimes the most onerous to fulfil, especially given the strict response times that must be adhered to.

Data Subjects have the right to know if your organisation is processing their personal data, and if so, to be provided with a copy of such personal data, along with other supplementary information regarding the nature and scope of the processing. Whilst the latter of which should form part of your Privacy Policies/Notices, the provision of copies of personal data can pose its own problems.

It is important that such requests are handled fairly, ensuring that the application of these rights do not undermine other obligations on you, such as preserving the data protection or privacy rights of third parties, preserving any confidential duties, ensuring compliance with law enforcement activity, social work etc. and so on.

The provision of copies of data subjects’ personal data can often create further challenges and questions, such as:

    • What if their personal data was provided to you in confidence, such as from a confidential informant?
    • What if their request is going to be time consuming or particularly voluminous?
    • What if someone else is requesting it on behalf of them?
    • What if it concerns a child?
    • What if it contains the names of other staff or staff from other stakeholders?


These, amongst others, are considerations that need to addressed as part of your DSAR response.

This detailed downloadable guide will walk you through the journey of completing a Data Subject Access Request (‘DSAR’). Whilst it is not exhaustive or specifically tailored to your organisation, it is indicative of the general considerations you will be expected to address when dealing with a DSAR response, such as validating a requestor, how to acknowledge a request and how to physically redact information. The guide also includes a handy walkthrough checklist to assist you to complete each DSAR, as well as a series of templates to help you construct appropriate responses.

DSARs can be complex by their nature. It is not uncommon for professionals to have a variety of different views on how to approach DSARs (such as when redactions should apply). If you remain unsure, it is important that you seek further advise or guidance from a Data Protection Officer (DPO) or advice from a privacy specialist.

If you would like immediate assistance with a DSAR response, or any other data protection related issue you are facing, please contact us.

Download the white paper: