How to respond to a Data Subject Access Request (DSAR)
Mastering DSAR Responses: A Friendly Guide for Business Success
How to respond to a Data Subject Access Request (DSAR)
With a growing awareness of data protection rights is leading to an increase in individuals making DSAR requests. In this article we’ll guide you through the challenges you face and tips on getting them right. You should be aware that requests can be made via email, social media and over the phone. So make sure your staff are aware of this and are trained to deal with each one.
Use our DSAR PDF checklist to help you respond within the legal timeframe and avoid common pitfalls. It includes:
- a clear DSAR workflow from receipt to secure disclosure
- guidance on identity checks and when the deadline can pause
- suggested search terms and key systems to check (email, Teams, HR files, shared drives)
- a redaction/exemptions prompt list (including third-party information)
- a practical “sign-off” step so you can evidence compliance
DSAR response in 60 seconds
1. Log request date + confirm deadline
2. Verify ID (if needed)
3. Clarify scope (only if genuinely unclear)
4. Search systems + capture decisions
5. Review, redact third-party data, apply exemptions
6. Provide data + the required explanatory info
7. Send securely + document completion
What you must provide in a DSAR response
When you respond to a Data Subject Access Request, your reply needs to do more than simply send documents. In most cases you must provide:
Confirmation
- Confirm whether you process the individual’s personal data.
A copy of their personal data
- Provide the personal data you hold about them (in a commonly used electronic form where the request is made electronically, unless they ask otherwise).
- This includes personal data across systems (for example email, HR files, CRM records, Teams/Slack messages, case files, call notes and other records), not just your “main” database.
The “supporting information” (so the data makes sense)
Alongside the data itself, you should provide the key information that explains your processing, including:
- Why you use their data (your purposes)
- What categories of personal data you process about them
- Who you share it with (recipients / categories of recipients)
- How long you keep it (retention periods or the criteria you use to decide them)
- Where you got it from (if you didn’t collect it directly from them)
- Their rights (e.g., to rectification, erasure, restriction, objection, and to complain to the ICO)
- Information about automated decision-making, including profiling, where it applies (and meaningful information about the logic involved, plus the significance and likely consequences)
Tip: You don’t have to “write an essay” — but you do need to give enough context for the individual to understand what you hold, what you’re doing with it, and what their options are next.
Once you’ve recognised the DSAR, the first challenge is understanding what information you need to provide to the individual making the request. This will partly depend on the request itself. If the request is particularly broad, it is worth asking the individual if they can clarify the timeframe and/or the scope, but you cannot put pressure on them to do this and they do not have to.
Identity checks
In addition to clarifying the timeline and scope, efforts should be made to carry out appropriate identity checks are to ensure the person making the request is who they claim they are. This may be obvious in some cases so don’t waste time unnecessarily. If you need to clarify the one-month countdown would stop, this is called stopping the clock, until the identity information and any other requested information has been received, at which point the clock would resume.
Stay ahead with expert data protection tips
Get practical advice, legal updates, and exclusive insights.
Stopping the clock
Starting the clock
When an individual makes a request organisations have one calendar month to respond. This includes bank holidays and weekends.
Stopping the clock
If you genuinely need to verify someone’s identity or you need clarification because the request is unclear, you can pause the deadline while you wait for the information you’ve reasonably asked for.
You should not use this to delay responding where the request is already clear.
Resuming the clock
Once you have the relevant information you should make a note of the date you received this and revise your timeframe. So if it took the individual 5 days to respond you can add this onto the clock.
Example of pausing the deadline while you wait for clarification
If you receive a DSAR on 14 May, the one-month deadline starts the same day. This means you should respond by 14 June. If you ask the individual for clarification on 15 May (because the request is genuinely unclear), the deadline is paused from 15 May until the date the individual responds. If the individual provides clarification on 18 May, the deadline starts running again from 18 May. Because the deadline was paused for three days (15–18 May), you can extend the original one-month deadline by three days. You should therefore respond by 17 June.
Source: ICO guidance on responding to a right of access request.
The 5 stage process
The subject access request process can be broken down into 5 key stages, as described below:
Stage 1
During the first stage, the search terms need to be established and the search conducted. Depending on the nature of the request, this may return a large volume of documents.
Stage 2
The documents returned by the search will need to be reviewed in order to establish what information needs to be provided to the individual. During the initial review round, discard anything that is out of scope, i.e. information that doesn’t contain the data of the individual either directly or indirectly. It is important to understand that the right to subject access is limited only to personal data of the requesting individual.
Stage 3
The third stage involves redacting the information you’ve gathered. Removing the information about third parties including line managers and job titles. Ideally any information that would identify other people, unless you have their consent. If the individual still has access to their emails or reports they’ve already received this information doesn’t need to be resupplied. Only information they aren’t directly party to. However, if they din’t have access to this information any more then you’ll need to supply it. This includes any Microsoft Teams, Slack and WhatsApp messages. Be aware, if you have a bring your own device policy (BYOD) in place. Individuals’ phones can be searched, but only with consent.
Stage 4
The fourth stage considers the possible application of exemptions. Determining whether these apply is something that requires technical legal expertise. If it is established that an exemption applies, you can redact or not supply this information. For example; you have an ongoing investigation into the individual and the information would compromise this. Under the DPA 2018 this falls under Schedule 2, Part 4, Paragraph 23(1) of the Data Protection Act 2018 – Negotiations. You must explain this and show the relevant schedule.
Stage 5
Once the information is ready to be sent to the individual,
it should be indexed and sent securely with the password sent via a different communication channel. If hard copies of the information are being sent by post or courier, select a tracked service and consider dividing the documents into several packages to reduce damage limitation should there be any loss during transit.
Tip: It is worth noting that retention periods are generally 6 years for most types of documents. If you have information that is beyond this period and you don’t need it, you inadvertently add time to a request as you have more documents to go through. Practicing data hygiene by deleting old documents when the retention period is over would reduce the time spent on searching documents.
The rise of AI DSARs
More individuals are now turning to ChatGPT and other AI software to write a DSAR. In some instances these are several pages long. To the organisation, receiving a DSAR like this can look overwhelming. If you’re based in the UK, phrases like attorney or organize are usually a clear give away as AI uses American spelling by default.
Once it has been reviewed, it becomes clear that they have been generated using AI. This however, doesn’t mean the DSAR isn’t valid, you can however go back if needed to clarify points. This won’t stop the clock either, just narrow down the search terms. We’re seeing more AI DSARs and other legal documents like privacy policies. Without proper legal guidance these often lead to wrongful applications of the law.
What is the two month extension?
The two month extension may apply in cases where a subject access request is deemed to be complex. The ICO sets out the criteria applicable to ascertaining whether a DSAR is complex and thereby subject to the two month extension.
The criteria are as follows:
• Technical difficulties in retrieving the information – for example if data is electronically archived.
• Applying an exemption that involves large volumes of particularly sensitive information.
• Clarifying potential issues around disclosing information about a child to a legal guardian.
• Any specialist work involved in obtaining the information or communicating it in an intelligible form.
• Clarifying potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party. Applying these exemptions would require legal advice.
Please note: Having more data whether on the server or an external disk drive would not trigger an extension.
What does the new UK Data (Use & Access) Act 2025 say about DSARs?
Organisations can breathe a sigh of relief knowing that DSARs will soon be limited to searches that are “reasonable and proportionate.” This change is intended to reduce the time and cost involved in responding to complex or excessive requests but organisations will have to wait up to 12 months before parts of the act come into effect.
This also means that individuals will be expected to be more specific in the scope of their request. However, if the search returns information requiring further investigation, the individual will still be entitled to access that data.
The Data Use & Access Act also extends the timeframe for responding to a DSAR: while the standard response time remains one month, controllers may now take an additional two months where the request is considered complex or excessive, or where multiple requests have been made. This is a new Act so we anticipate it to evolve over time with case law and updated ICO guidance. Adding this change into your policy now will keep you ahead of the curve.
Frequently Asked Questions
What should I include in my response to a Data Subject Access Request (DSAR)?
Your response should confirm whether you process the individual’s personal data, provide a copy of their personal data across all relevant systems, and include supporting information that explains your processing purpose, categories of data, sharing recipients, data retention periods, sources of data, their rights, and details about automated decision-making.
How do I verify the identity of the person making a DSAR?
You should carry out appropriate identity checks, which might be obvious in some cases. If necessary, pause the response deadline until the individual provides the required identity information or clarifies the scope of their request.
What is meant by stopping the clock in relation to DSARs?
Stopping the clock means pausing the response deadline if you need to verify someone’s identity or clarify the scope of the request. The countdown resumes once the requested information or clarification has been received.
Can the response time for a DSAR be extended?
Yes, the standard one-month response time can be extended by an additional two months if the request is complex, involves large volumes of sensitive data, or requires specialised work, as long as the reasons are documented and communicated to the individual.
What does the new UK Data (Use & Access) Act 2025 say about DSARs?
The Act states that DSARs should be reasonable and proportionate, aiming to reduce the time and costs involved. It also extends response times to up to three months in complex cases and emphasises that individuals should be more specific in their requests. Organisations should prepare for these changes, which will gradually come into effect over the next year.