Data Subject Access Request (DSAR) Guidance

The General Data Protection Regulation (GDPR) grants employees the right to access any personal data an organisation holds on them. This is known as a data subject access request (DSAR). It is vital that all companies know how to deal with a DSAR when they receive one. Current and ex employees can submit them and they are often used in the course of a dispute.

This article details the rules and regulations businesses need to know about.

Companies can decline a DSAR request if it meets the following criteria:

  1. It is manifestly unfounded. This means that the requester doesn’t intend to exercise their right of access appropriately e.g. they might plan to use the request to make unsubstantiated claims against the organisation.
  1. It is excessive e.g. it overlaps with another request that has recently been submitted.

Does the company have to provide everything?

  • No, only information that’s considered personal data needs to be provided. Not everything that mentions or refers to the data subject needs to be included.
  • Some information can be redacted e.g. private, organisational information and anything else that is not in scope of the DSAR. Information that relates to another person should be redacted; this would constitute a data breach if not done.


According to the Information Commissioners Office (ICO), an organisation should respond to a DSAR ‘without undue delay’. At the latest, this should be within one month of the request. If requests are numerous or complex, you can extend the deadline by two months, but you are still expected to respond to the request within the first month and explain why the extension is necessary.

Failure to respond to the DSAR within 40 days could lead to significant fines and regulatory penalties, not to mention reputational damage.

The process of completing a DSAR need not be lengthy. The following steps explain what needs to be done:

  1. Verification of the subject’s identity: This is so you can:
  • determine whether you have the information the subject looking for
  • safely distribute the information i.e. avoid a potential data breach. 
  1. Clarification: Identify what it is the requester wants to know. Determine timescales at this point, and respond accordingly i.e. if you will need more time to generate a response.
  1. Data review: It’s important to ensure that the data doesn’t include anyone else’s personal information; this could result in a data breach.
  1. Data Collection: This will involve gathering all the subject’s data into a response, the format of which must easily accessible. The response must be as comprehensive as possible.
  1. Subject’s rights: A statement on the subject’s data privacy rights should be included.
  1. Sending the data: For accountability, it is best to create an audit trail and document any communications with requesters. 

What constitutes personal data?

  • Name and surname
  • Home address
  • Email address
  • An identification car number (NI)
  • Location data
  • An IP address
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (where processed to uniquely identify someone)

What should an organisation send back to an employee?

When an organisation responds to a request, they should normally tell the person whether they process their personal information and, if they do, give the person copies of it.  The organisation also needs to include:

  1. What they are using the persons information for;
  2. Who they are sharing the persons information with;
  3. How long they will store the persons information, and how they made this decision;
  4. Details on the persons rights to challenge the accuracy of the persons information, to have it deleted, or to object to its use;
  5. The person’s right to complain to the ICO;
  6. Details about where they got the persons information from;
  7. Whether they use the persons information for profiling or automated decision-making and how they are doing this; and
  8. What security measures they took if they have transferred the person’s information to a third country or an international organisation.

Ex and current employees can submit numerous DSARs.

For help or advice on DSARs, get in touch with the team at IHRS, who will be happy to help.

Email, call 01604 709509 or visit the IHRS website.

About the author

Katherine is a member of the senior management team at RWA. She has over 20 years’ international experience working in HR, across various sectors, including financial services, insurance and regulated environments. Over the years, she has collaborated with some exceptionally talented HR professionals, with whom she has joined forces on special projects. Her network of HR professionals provides advice and training to companies and other HR teams.

In her role with RWA, Katherine heads up RWA’s Human Resources Consultancy and provides objective support to firms on employment law and HR issues. She uses her extensive skills and knowledge to work with firms to help them develop strong and resilient HR strategies and establish healthy organisational cultures.

Katherine holds a degree in Business Administration and Management from the University of Northampton and a Postgraduate Diploma in Human Resource Strategies from London Metropolitan University. She is a Fellow of the Chartered Institute of Personnel and Development (FCIPD).

Get RWA Insight In Your Inbox

Regular business news and commentary delivered direct to your inbox each week. Sign up here