DSAR process - Oyster IMS

DSARs – Understanding your obligations

Data Subject Access Requests, or DSARs, didn’t start with the GDPR, but it’s fair to say that there have been many more of them since GDPR came into law*.

So what is a DSAR and how should organisations respond when they receive one?

The GDPR upholds the right of an individual, (i.e. a ‘data subject’),

“to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data…”

The information that an organisation must provide can include:

  • The organisation’s lawful basis for processing;
  • The names or categories of any third parties with whom that information has been shared;
  • The period for which the personal data will be stored;
  • Information about how the personal data was obtained;
  • Information about automated decision-making, including profiling, and the reasons for and potential consequences of that automation.
What do you have to do?

Above all, you have to comply. This is a legal obligation and you must respond to the DSAR within one month.

You must ensure the identity of the individual asking for the information. Ideally you should establish a standard initial response to a DSAR, which provides you sufficient details to fulfil the request. For example, requesting proof of their ID, or their authority to act on behalf of a named individual.

You must permit electronic requests. It is not legally permissible to insist, for example, that the subject access request is sent by post.

You cannot charge a fee. In most circumstances you will have to provide subjects with the information that they request free of charge. There are some limited cases in which organisations may apply a reasonable fee, but these are very much the exception.

You must remind the data subject of their further rights. This includes the right to object to the processing of the data, to request rectification of that information or to lodge a complaint with the Information Commissioner’s Office.

What impacts do DSARs have on organisations?

Organisations should determine who is responsible for responding to a subject access request. Typically this will be within the remit of the data protection officer (DPO). Or, if there is no DPO, then DSARs should be handled by someone with up-to-date data protection knowledge and training in GDPR compliance.

Organisations should establish a clear and robust process to handle DSAR enquiries which should include verifying the identity of the individual clarifying the request, insuring that the request is valid, searching for and inspecting the data, determining an appropriate format to provide the information, communicating the response and ensuring that the individuals rights are explained in full.

Staff training is also important, both to manage the processes described above and to help all members of staff identify a subject access request. There is no defined format for a subject access request, nor is there a requirement that an individual even uses those words. So, it’s important that staff training includes awareness that a DSAR could be requested during the course of a normal conversation.

Time, money and expertise.

DSARs could come from any direction. Members of staff, former employees, unsuccessful job applicants, customers – all are examples of individuals who might make a DSAR.

With the number of DSARs on the increase, and with the possibility of another huge increase as the Covid-19 Pandemic progresses, the time associated with managing DSARs could be detrimental. But the potential cost of non-compliance is also likely to be unacceptable, as the heavy GDPR penalties will apply for failing to meet your obligations.

Not all organisations have appointed a DPO so it’s not always easy to know how well you will respond to DSARs. If you don’t have the internal expertise and practical experience in this area of data protection you could be well advised to take some professional advice.


*   The Information Commissioner’s Office report that complaints related to DSARs doubled in the first year after the GDPR came into law. 


Share this page


What is a Data Subject Access Request, or DSAR?

The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.

Individuals may exercise the right by making a written ‘Data Subject Access Request’, or DSAR.

How can a DSAR be made?

An individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.

A request does not have to include the phrase ‘subject access request’ or mention Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.

Additionally, it is important to write and implement a policy for recording details of the requests you receive, particularly those made by telephone or in person.

Do we have to reply to a DSAR?

In almost all cases the answer is “yes”.

If a request is within the scope of the Data Protection Act (there are a few exemptions), you are required to comply and must provide the information requested.

You can also refuse to comply with a subject access request if it is:

  • manifestly unfounded; or
  • excessive.

In order to decide if a request is manifestly unfounded or excessive you must consider each request on a case-by-case basis. You should not have a blanket policy.
You must be able to demonstrate to the individual why you consider the request to be manifestly unfounded or excessive and, if asked, explain your reasons to the Information Commissioner.

How long do we have to respond to a DSAR?

You must comply with a request without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receiving any information requested to confirm the requester’s identity.

You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.

What steps should we take before we respond to a DSAR?

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.

You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information.

If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request. However, this does not affect the timescale for responding – you must still respond to their request within one month.

Who can make a DSAR?

The GDPR does not prevent an individual making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act for them. In these cases, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement.

The Information Commissioner’s Office provides more detailed guidance on third party DSARs and on requests for information about children.

What should we provide when we respond to a DSAR?

An individual is entitled only to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, it is essential that you establish whether the information requested falls within the definition of personal data.

In addition to a copy of their personal data, you must also provide individuals with the following information:

  1. the purposes of your processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient you disclose the personal data to;
  4. your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
  5. the existence of their right to request rectification, erasure or restriction or to object to such processing;
  6. the right to lodge a complaint with the ICO or another supervisory authority;
  7. information about the source of the data, where it was not obtained directly from the individual;
  8. the existence of automated decision-making (including profiling); and
  9. the safeguards you provide if you transfer personal data to a third country or international organisation.

Who should manage the response to a DSAR?

Responsibility for complying with a subject access request lies with your organisation, as the data controller.

Your DPO will generally be responsible for fulfilling a DSAR, if you haven’t appointed a DPO, the responsibility should be given to someone with up-to-date data protection knowledge and training in GDPR compliance.

If you don’t have the internal expertise, qualifications and practical experience in this area of data protection you could be well advised to get some professional support.

If you use a processor, you need to ensure that you have contractual arrangements in place to guarantee that subject access requests are dealt with properly, irrespective of whether they are sent to you or to the processor.   You may not extend the one month time limit on the basis that you have to rely on a processor to provide the information that you need to respond.

What happens if we fail to respond to a DSAR?

To fail to respond to a DSAR is to break the law.

Under the Data Protection Act 2018, fines of up to €20 million, or 4% of a business’ annual global turnover in the preceding financial year, whichever is higher, could be imposed by the ICO for non-compliance with data subject access requests.

So far, the practice employed by the ICO is to issue an enforcement notice, before taking legal and punitive actions.

Download our brochure

  • Your email address is used only to send you the requested brochure. Please see our privacy policy to find out more.

  • This field is for validation purposes and should be left unchanged.

© Copyright 2021 Oyster IMS  |  Web design by Union 10 Design

Oyster IMS statement on impact of COVID-19

We do not believe that this outbreak will have a direct impact on most of our services.

We are continuing to monitor the situation, liaising with partners and suppliers critical to the operation of our services, and all those who are dependent on our business.