DSARs – Data Subject Access Request Guide
Imagine you want to know exactly what personal data an organisation or employer holds about you. In the United Kingdom, you have a legal right under UK GDPR and the Data Protection Act 2018 to find out. This is done through a Data Subject Access Request (DSARs) – also known as a subject access request under the ICO. It’s a request you can make to any organisation asking, “Give me a copy of all the personal information.” It’s a key part of UK data protection law, designed to give people transparency and control over their personal data.
What a DSAR Really Means in Practice
Under UK law, any individual (known as the “data subject” in data protection law) can ask an organisation to provide access to the personal data it holds and explain why it’s processed. as well as other relevant information (like why the data is being processed and who it’s shared with). A Data Subject Access Request (DSARs) doesn’t require a formal template or specific wording. It can be made in writing or verbally, including via email or social media under ICO guidance. In other words, if you message a company on X (formerly Twitter) saying, “I want a copy of my personal data,” that is a valid subject access request. The organisation then has a duty to recognise it and respond appropriately. This right of access was first introduced in UK law by the Data Protection Act 1998, and it has been carried forward (and strengthened) under modern laws like the GDPR and the UK Data Protection Act 2018.
So, what kind of data can you get with a DSAR? Potentially anything that qualifies as your “personal data.” This could be your account notes, emails mentioning you, call recordings, CCTV footage of you, HR files – you name it. If it’s information about you and the organisation holds it, in most cases you’re entitled to a copy. There are some exceptions (for example, companies can withhold certain things like another person’s data or confidential references), but the general principle is openness. For businesses and HR departments, this means when they receive a DSAR, they often have to comb through emails, databases, chat logs, and even paper files to find all references to that individual. It can be a lot of work, but it’s legally required.
From £10 Fees to Free Requests: How UK DSAR Law Changed
You might be wondering about the history: Has this always been the case? Under the old Data Protection Act 1998, making a subject access request was a bit more cumbersome. Organisations were allowed to charge you a fee (usually up to £10) per DSAR request, and they had up to 40 calendar days to respond. stewartslaw.com. While £10 might not sound like much, it was enough of a token cost that it sometimes dissuaded people from bothering. Back then, the process was often paper-based and slower – you might have had to fill out a form and mail it with a cheque for £10, then patiently wait for up to six weeks.
Fast forward to today, and the rules are much more in favour of individuals. In 2018, the EU’s General Data Protection Regulation (GDPR) came into effect (and the UK adopted its principles in the Data Protection Act 2018), replacing the 1998 framework. Now, a Subject Access Request is typically free – organisations cannot charge you for making a DSAR in most circumstances under the ICO guidance. The only time you might be charged a fee is if you make repetitive or excessive requests, or your request is “manifestly unfounded or excessive,” in which case a reasonable administrative fee can be requested or the request can even be refused. But for the average person asking once for their data, there’s no cost at all.
Not only are DSARs free now, but the deadline for organisations to respond is tighter. Legally, they must respond “without undue delay” and at the latest within one month of receiving your request. This one-month clock starts ticking from the day the request is received (day one is the day after receipt). Under the old 1998 Act it was 40 calendar days; GDPR shaved that down to a month. If that sounds like basically the same amount of time, remember that a month under GDPR is counted in calendar months (e.g. if you ask on 2nd January, the response is due by 2nd February), which for some months is a bit less than 40 days. In any case, the intent is clear: people shouldn’t have to wait long. Organisations can extend the deadline by an extra two months only if the request is very complex or if the individual has made multiple requests. But to use this extension, the organisation has to inform the person within the original one-month period that more time is needed and why.
These changes – no fees and quicker turnaround – have made DSARs much more accessible and common. What used to be a trickle of £10 postal orders is now a flood of free requests, often made instantly by email or online forms. For UK companies, this shift from the 1998 regime to the post-2018 regime was a big adjustment. It required setting up internal processes to handle requests quickly, and it means even a casual request from a customer or employee might be a ticking clock that the company must take seriously.
The Rise of DSARs in the UK: More Requests, More Awareness
Since the rules got stronger, the use of DSARs has exploded in recent years. People are more aware of their data rights now than ever before – you might notice every website banner and privacy notice reminding you of things like GDPR. According to privacy experts, this greater awareness has empowered individuals to exercise their rights. In fact, the UK’s data protection regulator, the Information Commissioner’s Office (ICO), has seen a surge in complaints related to DSARs. In the most recent year reported, the ICO received over 15,300 complaints about organisations failing to comply with DSARs, which was a 13.5% increase over the previous year personneltoday.com. This is a strong indicator that DSAR activity is on the rise. The ICO even noted that subject access requests are the number one reason people contact the regulator – more common than any other data protection concern.
So who is making all these requests? A lot of them come from everyday people in their capacity as consumers – for instance, you might ask your bank or an online retailer, “Give me all my personal data.” But a significant chunk of DSARs in the UK are coming from the employment context. UK businesses routinely have to deal with DSARs from disgruntled current or former employees. It’s become almost standard if someone is in a dispute with their employer (say, they feel they were unfairly dismissed or they’re gearing up for an employment tribunal) that they will file a DSAR. Why? Because they hope to uncover the internal emails, file notes, or messages where someone might have said something revealing – basically looking for a “smoking gun.” Employment lawyers sometimes call this a “fishing expedition”, where the individual is casting a wide net hoping to catch evidence that strengthens their case. In some instances, people have “weaponised” DSARs as a tool to pressure organisations personneltoday.com. The threat of having to sift through thousands of documents and potentially reveal embarrassing details can indeed put pressure on an employer to settle a dispute. This dynamic has been noted especially in industries like finance and tech, where a lot of data is created and disputes can be high-stakes.
It’s not just employees, though. Public figures and politicians have also started using DSARs to their advantage. High-profile individuals are realising that a subject access request can uncover what’s being said about them behind closed doors. For example, an opposition MP discovered through a DSAR that a lobby group had described her in some unflattering terms in private messages. Another MP, Caroline Lucas, used a DSAR to find out she had been flagged by a government unit monitoring criticism of COVID policies. And perhaps the most famous recent example: Nigel Farage, the former UK politician, used a DSAR to shine a light on his own banking saga, which became headline news.
On top of this, the volume of DSARs across different sectors is climbing. No industry is immune – anywhere personal data is held, DSARs can follow. That said, some sectors see more action than others. The financial services sector, for instance, tends to get a lot of DSAR activity (by one analysis about 14% of all DSAR complaints to the ICO come from the finance sector), with other sectors like general business (9%) and tech/telecoms (7%) also racking up notable shares. This makes sense: banks and insurers hold detailed info about customers, and tech companies hold heaps of user data, so people are curious or concerned about what’s in there. We’re also seeing DSARs in healthcare, education, and government – for example, patients requesting their medical records or citizens asking local authorities for files about them.
A striking statistic for businesses is the sheer cost and effort involved now. Handling these requests isn’t cheap – it’s essentially an unfunded mandate on organisations. One recent survey by an HR and law group found that the average DSAR costs a small or mid-sized company about £20,000 to deal with. That figure might include the staff time spent searching for data, legal counsel to make sure nothing legally sensitive is accidentally disclosed, and the opportunity cost of diverting resources. Large corporations have reported spending hundreds of thousands of pounds a year collectively on DSAR compliance just-access.org. These numbers explain why some businesses feel DSARs have become a burden – especially when they suspect the requester’s motive is less about “privacy” and more about gaining leverage in a dispute. In fact, the surge in DSARs post-GDPR has been such a pain point for businesses that the UK government has considered tweaking the law to make it easier to reject truly vexatious or abusive requests. (As of this writing, proposed reforms in the Data Protection and Digital Information Bill are on the table, which could allow organisations to refuse or charge for “vexatious” DSARs more easily – but that law isn’t passed yet)
Real Examples: DSARs in Action (Good and Bad)
To understand how organisations handle DSARs, let’s look at a few real-world examples that have made headlines – some showing DSAR success stories, others showing pitfalls.
1. Nigel Farage vs. Coutts Bank (2023): This is a high-profile case that illustrates a successful use of DSAR from the individual’s perspective (though a headache for the organisation). Nigel Farage, a well-known British political figure, suspected that his bank (the prestigious private bank Coutts) had closed his accounts for political reasons. The bank had publicly suggested it was because Farage’s account balance fell below their minimum threshold. Farage filed a DSAR to find out the truth. The bank, bound by law, had to hand over all of Farage’s personal data, which included internal emails and a report from their reputational risk committee. The result was explosive: Farage obtained a 40-page internal document revealing that Coutts indeed had concerns about his political views and reputation – not just his finances hrmagazine.co.uk. In other words, the DSAR unearthed evidence that the bank’s reason for “de-banking” him was related to his beliefs and public profile, not simply a financial technicality. This information became public (Farage himself published and discussed it widely), leading to a scandal for the bank. The CEO of the parent company (NatWest) even resigned as a result of the fallout. From Coutts’ side, how did they handle this DSAR? By all accounts, they did comply within the law: they gathered the documents and released them to Farage within the required time. It was likely an exhaustive process for their data protection team (as one expert noted, it must have been “a nightmare” for the Coutts privacy officers to hand over such a candid internal report). However, they arguably did the right thing legally – they didn’t try to withhold the information, even though it was embarrassing.
This example shows the power of DSARs: an individual can force even the most secretive institutions to reveal their internal discussions, which in this case had massive consequences. It’s also a lesson to organisations: when writing anything about a person, assume that person might read it one day which can lead not only to financial consequences but reputational damage for the company.
Stay ahead with expert data protection tips
Get practical advice, legal updates, and exclusive insights.
2. The Disgruntled Employee “Fishing Expedition”: Not one specific case, but a scenario that plays out often across many organisations. Let’s say an employee suspects that their recent layoff was actually due to whistleblowing or discrimination, or they’re in a dispute over a bonus. Before going to an employment tribunal, their lawyer might advise: “Submit a DSAR to your former employer.” The employer – whether it’s a big corporation or a small business – then has to gather all personal data about that ex-employee. This often means digging through email archives, pulling HR files, looking at performance reviews, and even checking messaging platforms for mentions of the person. In many cases, the individual will indeed get back a big bundle of documents. It might be hundreds of emails, copies of performance evaluations, internal chat transcripts, etc. Sometimes this yields useful evidence for the person (for example, they discover a manager had emailed HR calling them a “troublemaker” – something that might support a claim of unfair treatment). Other times, it might just confirm that everything was above board.
From the organisation’s perspective, handling these DSARs can be challenging. They must ensure they find everything about that person (if they miss something and it later comes out, it looks bad). They also have to carefully redact information that the person isn’t allowed to see – e.g., personal data of other people that might be intertwined in those emails, or perhaps legal advice which might be privileged. A common mistake some organisations make is underestimating the scope: for instance, failing to realise that a casual Teams chat or WhatsApp message about the person counts as personal data too.
The ICO has published guidance to help employers navigate this, emphasising that a request doesn’t have to be formal to be valid (it could be as simple as an email saying “I want my files”), and you cannot demand the person to use your company’s DSAR form or wording. In one recent Q&A, the ICO noted many employers mistakenly think if a request doesn’t say “DSAR” explicitly, they don’t have to treat it seriously – which is not true personneltoday.com. The successful handling of a DSAR in the employment context usually involves quickly triaging the request, assigning staff to search all systems, and possibly seeking legal counsel on what can or cannot be disclosed. Many companies now train their HR and IT teams specifically on DSAR workflows to meet the one-month deadline. When done right, the employee gets their data on time and the company fulfils its obligations, avoiding regulatory trouble.
3. Magnacrest – What Happens if You Ignore a DSAR: Not every organisation takes DSARs seriously – and there are cautionary tales out there. One notable case is Magnacrest, a small property development company in England, which in 2017 received a subject access request from an individual and simply…did nothing. The individual waited, but Magnacrest never responded within the lawful time. Frustrated, the individual complained to the ICO. The ICO tried to get Magnacrest to comply, even issuing an enforcement notice (an official order to obey the law and provide the data). Magnacrest still didn’t comply. That’s when things went south for the company: the ICO prosecuted Magnacrest in court for failing to comply with a DSAR enforcement notice (a criminal offence) and the company was found guilty. In 2019, a magistrates’ court fined Magnacrest £300 for this offence pinsentmasons.com. Now, £300 is a pretty nominal fine – it was essentially a slap on the wrist, likely because this happened under the old law framework. But the conviction and public embarrassment for being the first company criminally prosecuted over a DSAR was a big deal. This case sent a message: regulators have teeth, and if you blatantly ignore someone’s legitimate access request, there can be legal consequences beyond just an angry customer. Since then, the ICO has gained even stronger powers (thanks to the GDPR/UK GDPR). These days, if a company were to stonewall a DSAR, the ICO could directly issue much heavier penalties.
4. Reprimands for Repeat Offenders: Not only private companies, but also public sector bodies have been caught failing to handle DSARs properly. In 2024, the ICO took the notable step of formally reprimanding two large city councils (Edinburgh and Glasgow) for repeatedly failing to meet DSAR response deadlines. One of those councils had a backlog where roughly 40-45% of all subject access requests were not answered within the statutory timeframe – amounting to hundreds of citizens left waiting or without a response. The ICO publicly called out these failings, although it stopped short of issuing fines in that instance. Instead, the reprimand came with recommendations to improve and a warning that continued non-compliance could lead to harsher enforcement. This example shows that even large, well-resourced organisations can get overwhelmed by DSARs if they don’t have proper systems in place. It also illustrates the ICO’s stepped approach: they often give an organisation a chance to correct its ways (with warnings or reprimands) before moving to fines.
Deadlines, Extensions, and Consequences: What Happens if You Don’t Comply
From an organisation’s point of view, failing to comply with a DSAR can have serious legal consequences. The law is clear about the deadline: you have one month to respond to a request in most cases. If you need more time because the request is particularly complex or the individual has made several requests at once, you can take a bit longer – up to an additional two months – but you must inform the person of this delay within the original one-month window ico.org.uk. Stretching the timeline without telling them (or without a valid reason) is asking for trouble. “Responding” to a DSAR means giving the person a copy of their personal data and the other required information (usually this is done via email or secure portal these days, often in PDF or DOC files), or explaining why you’re not handing something over if an exemption applies. Simply ignoring the request is not an option. Even if you think the request is frivolous, you should at least communicate and possibly refuse it under a proper exemption, rather than stay silent.
If an organisation misses the deadline or fails to provide all the required information, the individual who asked can file a complaint with the ICO. The ICO will then likely get in touch with the organisation to investigate. For first-time or small slip-ups, the ICO might nudge the organisation to comply or issue a warning. But if the organisation is found to be neglecting its duties, the ICO has enforcement powers. They can issue an enforcement notice legally mandating compliance by a new deadline. If that is ignored, as we saw with Magnacrest, it’s actually a criminal offence and can be prosecuted in court. Beyond that, under the UK’s GDPR-based laws, the ICO can go straight to issuing fines for serious infringements. The potential fines are huge – up to £17.5 million or 4% of the company’s global annual turnover (whichever is higher) for the most serious violations. In theory, failing to honor DSAR rights could attract those upper-tier fines because it’s a breach of fundamental data subject rights. In practice, the ICO tends to reserve multi-million-pound fines for cases involving thousands or millions of individuals (like major data breaches). That said, DSAR compliance failures have resulted in penalties. The ICO has explicitly listed “failure to correctly deal with subject access requests” as an example of a GDPR breach that can lead to fines. Enforcement actions can also include making the failure public (reprimands) which can hurt an organisation’s reputation. No company wants to be named and shamed for not respecting individuals’ rights.
It’s worth noting that individuals themselves also have the right to take matters to court. Under the law, if you don’t get a response to your DSAR, you could apply to the court for an order forcing the organisation to comply, or even seek compensation for any damage or distress caused by the breach. Lawsuits over DSAR failures have been relatively rare (most people go through the ICO), but it’s another risk on the table.
In summary, failing to comply with a DSAR is a lose-lose proposition for an organisation. You end up expending more effort dealing with regulators and potential legal action than you would have by just responding properly in the first place. For the individual making the request, the law is largely on your side – the process is free, the timelines are enforceable, and there are avenues to make sure you get your data.
Final Thoughts
Data Subject Access Requests are a powerful tool for transparency, giving people in the UK a peek into the data that organisations hold on them. What started in 1998 as a relatively obscure right (with a £10 fee via snail mail) is now an everyday consumer empowerment mechanism: “What is all this data you have about me? Show me.” For companies, HR professionals, and public bodies, DSARs have become a regular part of business. Handling them well is not just about avoiding fines or lawsuits – it’s also an opportunity to build trust with your employees, customers, or clients. When someone submits a DSAR, they’re essentially saying they care about how their data is being used. A timely and thorough response shows that the organisation respects that and has nothing to hide. On the flip side, a poor or delayed response erodes confidence and invites scrutiny from regulators like the ICO.
We’ve seen an increasing volumes of requests each year and some high-profile cases (from workplace disputes to political controversies) driven by subject access revelations. A trend is emerging: people are exercising their data rights, and they expect organisations to uphold those rights. So if you’re an individual, don’t hesitate to use a DSAR if you need to – it’s your right, and now you know what to expect. If you’re an organisation, check out our blog post Responding to DSARs Remember that ultimately, personal data belongs to the person – and a DSAR is how the law ensures that’s more than just a principle, but a practice.
Explore our step-by-step guide to Data Subject Access Requests (DSARs) — learn how to identify a DSAR, manage the process effectively, handle timeline extensions, and use our handy checklist to stay on track.
