Home International organisation GDPR Data Subject Access Requests in the UK: Your Guide

GDPR Data Subject Access Requests in the UK: Your Guide


With the UK GDPR giving individuals more control over their data, your business faces greater responsibility for making that data accessible and stiffer penalties for failing to comply with DSAR requests. For many businesses, the arrival of post-Brexit GDPR in the UK has created a false sense of security. With updated consent policies, improved cybersecurity, and an adequately trained workforce, it was easy to succumb to the idea that this meant a job done, boxes checked, and business as usual. .

The truth, however, is that achieving baseline compliance by January 1, 2021 has been difficult for many. For any organization, the long-term commitment to meeting regulatory requirements means responding quickly and efficiently to too many data-related events. Respond not only to data breaches, but also to right to be forgotten requests and data subject access requests, or DSAR if you prefer.

We have worked with several leading companies across the UK, providing them with the tools, strategies and outsourced services they need to handle such requests without affecting their business as usual. Here we answer your top questions about DSARs and what you need to do to stay GDPR compliant in the UK.

Obligations of the monitor

Under the UK GDPR, you must respond to requests immediately, without delay and within one calendar month. Recital 59 of the GDPR also states: “The controller should provide a means for requests to be submitted electronically, in particular where personal data is processed by electronic means”. In other words, if you had previously fulfilled the conditions of access only by official mail, you will now have to set up an electronic system, whether it is a form on your website , a specific e-mail address or any other suitable means. It should be noted, however, that individuals do not necessarily have to use this system to apply.

What is a DSAR?

Under the GDPR, a person can make a subject access request using any available method, including: a: verbally in person b: by telephone c: in a written letter d: through your website e : by e-mail f: via social networks. There’s no formal way to make a request, so the person doesn’t necessarily have to use the terms “subject access request”, “DSAR”, “section 15” or anything like that. other, as long as it is clear that they are requesting their data. Additionally, requests can be directed to anyone within your organization. This means that if someone verbally asks one of your front line employees in person, that request is just as valid as a formal letter, email or completed form. Therefore, now may be a good time to review any recent EU GDPR training you have provided to your staff. Make sure that anyone who regularly deals with customers, employees, suppliers, etc. receives training to identify a DSAR and that the request is handled by the internal response process you have in place.

What information can an individual request?

Article 15 of the GDPR covers the “data subject’s right of access”. It specifies: The data subject has the right to obtain from the controller confirmation whether or not personal data concerning him or her is being processed and, where applicable, access to personal data and to the following information: 1 : The purposes of processing 2: The categories of personal data concerned 3: The recipients or categories of recipients to whom the data have been (or will be) disclosed, in particular recipients in third countries or international organizations. 4: If possible, the envisaged duration for which the data controller will keep the data or, if not possible, the criteria used to determine this duration.

Rectification or erasuree

The right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject or to object to such processing Where the personal data is not collected from the data subject, any available information as to their source

Automatic processing

The existence of automated decision-making, including profiling, is referred to in Article 22(1) and (4). The logic involved, as well as the significance and envisaged consequences of such processing for the individual concerned.

Suppose personal data is transferred to a third party or an international organization. In this case, the right to be informed of the appropriate safeguards to protect this data.

All of this means that if you have data about someone making a DSAR request, you are obligated to provide them with a copy of the data and any additional information about how it is used.

What do I need to know to provide a response to a DSAR request?

According to the ICO, the information you provide to an individual must be in a “transparent, intelligible and easily accessible form, using clear and plain language”. For example, if your company uses particular codes for different categories of data, you should provide a clear and legible explanation of what those codes mean. If the request is received electronically, Article 15 states that “unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form”. Meanwhile, Recital 63 recommends a best practice solution of creating remote access to a secure system where individuals can directly access the data you hold about them. However, remember that you should not do so if it could compromise the freedom of others, including trade secrets and intellectual property.


Remember that you have no more than one month to respond, counting from the day after receipt of the request, whether or not it is a working day. In other words, if you receive a request on July 1, the countdown begins on July 2 and you have until August 2 to comply with this request. Can I extend the time to provide the requested information? In most cases, however, as with everything in life, there are exceptional circumstances. It is possible to extend the response time if the request itself is too complex or if the person has made several requests. Therefore, the ICO states that an extension is unlikely to be considered reasonable in the following circumstances: the request is “manifestly unfounded or excessive”. An exemption applies You asked the person to prove their identity before responding to their request.

Can I ever refuse a request?

The only time you would be able to refuse a DSAR request is if the request is found to be “manifestly unfounded or excessive”, for example if a request is very repetitive. However, it should be noted that despite Article 57 of the GDPR which requires you to demonstrate the “manifestly unfounded or excessive” nature of the request, there are no clearly defined parameters for this threshold, which makes its demonstration particularly hard.

As more and more individuals become aware of their rights regarding the data you hold about them, your business can fully expect to see an increase in the number of requests made in the coming months. Not that it should have a significant impact on your day-to-day functioning. Experts in helping businesses of all sizes ensure compliance with all aspects of GDPR, we provide specialist access request services designed to simplify and streamline your response services, leaving you with more time, energy and resources to focus on growing your business.