Warner Goodman Solicitors banner
Services
People
News and Events
Other
Blogs

I Wonder How I Should Respond to a Data Subject Access Request?

View profile for Emily Tilston
  • Posted
  • Author

The UK General Data Protection Regulation (UK GDPR), alongside the Data Protection Act 2018, sets out the rules for handling personal data. It places clear responsibilities on organisations, ensuring data is processed lawfully, individuals’ rights are protected, and accountability is maintained whenever personal information is used.

One of the key rights under this framework is the right of access. In practice, this is exercised through a Data Subject Access Request (DSAR). In this article, we explain what a DSAR is and how employers should respond when one is received.

What is a Data Subject Access Request (DSAR)?

A DSAR is a formal request made by an individual to an organisation asking for a copy of their personal data.

This request is usually free of charge and can include information about what personal data is being held and how and why it is being used, processed or stored. This right applies to current employees, former employees, and even job applicants.

Under Article 15 of the UK GDPR, individuals are entitled to:

  • Confirmation of whether their personal data is being processed
  • Access to a copy of that data
  • Key information such as the purpose of processing, who the data is shared with, and how long it will be kept

There are some exemptions. In certain circumstances, information may be lawfully withheld or redacted where disclosure would adversely affect the rights and freedoms of others.

The Data Protection Principles

Article 5 of the UK GDPR sets out the six key data protection principles. Personal data must be:

  • Processed fairly and lawfully
  • Collected for specified, explicit and legitimate purposes, and used appropriately
  • Adequate, relevant and limited to what is necessary
  • Accurate and kept up to date
  • Kept only for as long as necessary
  • Processed securely to protect against loss, damage or unauthorised access

These principles underpin everything an organisation does with personal data. Employers must be able to demonstrate ongoing compliance, including when responding to DSARs, supported by appropriate policies, procedures, and safeguards.

How to recognise a DSAR

A DSAR does not need to follow a specific format. An individual can make a request verbally or in writing, including through social media. What matters is that it is clear the person is asking for access to their own personal data. No legal wording or reference to legislation is required for the request to be valid.

A DSAR can also be made by a third party, such as a family member or legal representative, who is authorised to act on behalf of the individual. In these cases, it is the responsibility of the third party to provide evidence of their authority to the employer/organisation.

How should employers respond to a DSAR?

Employers must respond without undue delay and within one month of receiving the request.

The one-month timeframe begins from the date the DSAR is received, or, where applicable, when a fee is paid (in limited circumstances). The timeframe can be paused while waiting for identity verification, any applicable fee, or clarification or further information needed to process the request.

Employers must provide:

  • Confirmation that personal data is being processed
  • A copy of the personal data held
  • Clear details explaining how the data is collected, used, and disposed of

Responses should be clear, transparent, and easy to understand.

Before any information is shared, employers must ensure that any data relating to other individuals is appropriately redacted or removed.

Where a request is particularly complex or involves a large volume of information, the response period can be extended by up to a further two months. If this is necessary, the employer must inform the individual within the original one-month deadline and explain why the extension is required.

Summary

DSARs are an important part of data protection compliance. Employers need to be able to recognise a valid request and respond confidently within the required timeframes.

A well-handled DSAR should always be accurate, transparent, and appropriately redacted. Keeping clear records of how requests are handled also helps demonstrate compliance with UK GDPR obligations.

Taking a structured, proactive approach not only supports legal compliance but also helps maintain trust and confidence within the workforce.

Further Advice

If you have any queries about Data Subject Access Requests or any other employment law matters, our Peace of Mind Team is here to help with clear, practical advice.

Our Document Audit Team can also assist with drafting and reviewing workplace policies.

You can contact our Employment Team by emailing employment@warnergoodman.co.uk or calling 023 8071 7717.


Make Work Pay Programme

With the upcoming Employment Rights Act, UK employers face increasing pressure to adapt their practices and stay compliant with new regulations.

Our Make Work Pay Programme offers a structured, six-month, fixed-fee solution that helps businesses:

  • Understand and prepare for new employment legislation.
  • Align internal processes with legal and commercial best practices.
  • Minimise risk and build a stronger, compliant workplace.

Click here to learn more about how our Make Work Pay Programme can help your business.