Westbrook data protection services registered brand mark
Floating shapes on a dark background representing data subject access requests for organisations across the uk.

Received a Data Subject Access Request? We’re here to help

Request DSAR Support

Solicitor-led support for organisations handling subject access requests, deadlines, redactions and response planning.

Home / Services / Risk, Incidents & Enforcement / DSAR support for organisations
Clara Westbrook

Solicitor and Data Protection Lawyer


DSAR support for organisations

Led by a qualified solicitor, Clara Westbrook. Our work includes advising on scope, search strategy, review, redaction, exemptions, response wording and overall process, with legal and practical input shaped around the circumstances of the request.

Call to discuss your deadline today


Have you received a data subject access request? Start here

If you have a Subject Access Request in front of you, the first priority is to get control of the basics:

  • Confirm when the one-month time limit starts
  • Identify whether identity or authority checks are needed
  • Clarify what the individual is asking for (where appropriate)
  • Decide what systems need searching (email, HR, Teams/Slack, file shares, CCTV, devices, archives)
  • Set a proportionate search plan and internal owners
  • Reduce avoidable work by agreeing a clear scope

Where clarification is appropriate, the ICO UK guidance recognises that you can pause the clock while waiting for the requester to respond, then continue when clarification is received.


Tell us your deadline and systems, and we will advise on a practical plan for a compliant response.


DSAR Response Service Pricing

Response Service
Description
Fee Structure
Initial DSAR Strategy & Scope Review
High-level legal assessment of the request, identifying exemptions, and setting the response roadmap.
 From £1,000 per day
Managed Response Service
End-to-end handling, including data gathering, vetting, and drafting the final response.
From £450 – £700 per day
Redaction Service
Specialist line-by-line review to remove third-party data and apply legal redactions.
From £75 per hour
Final Compliance Check Only
A one-off professional “sign-off” of your prepared response before you hit send.
£400 (Fixed Fee)


What our subject access request UK service includes

You can engage WDPS for end-to-end handling or for targeted support (for example, redaction and response drafting). Typical support includes:


DSAR triage and plan

  • Deadline confirmation and timeline management
  • Validity, scope and identity/authority checks (where relevant)
  • A proportionate search plan and data-source mapping
  • Practical guidance for internal teams (HR / IT / managers)

Search, review and data reduction

  • Support to collect data from relevant systems and custodians
  • De-duplication and document reduction (where appropriate)
  • Review support to identify in-scope personal data
  • Structuring data into a response pack that is clear and organised

Redaction, exemptions and third-party rights

  • Redaction to protect third-party information and confidential content (where lawful)
  • Assessment of common DSAR exemptions and restrictions
  • Consistent rationale and defensible decision-making records
  • Quality control to reduce the risk of accidental disclosure

Response drafting and delivery

  • Drafting the response letter and required supplementary information
  • Advising on format and secure delivery
  • Helping you keep an internal audit trail of what you searched, what you provided, and why

Note: The right of access is to personal data, not necessarily entire documents. A clear response pack with appropriate redactions is often the most practical approach.


Who this service is for

Our DSAR service is designed for organisations that need a reliable, legally aware process without turning DSARs into a disruption:

  • HR teams handling employee DSARs alongside grievances, disciplinaries or exit situations
  • SME leadership teams receiving occasional DSARs and needing clear guidance fast
  • Organisations with high-volume or complex data (email-heavy environments, multiple systems, shared mailboxes)
  • Organisations with sensitive data (health, safeguarding, complaints, whistleblowing, legal matters)

If you are an individual making a subject access request, see our information for individuals and rights requests.


Employee Subject Access Request and workplace disputes

Employee DSARs often arise in sensitive contexts — performance management, grievances, disciplinaries, settlement discussions or tribunal preparation.

These DSARs commonly involve:

  • Multiple custodians (HR, line managers, leadership)
  • Mixed personal and business communications
  • Third-party data (colleagues, witnesses, complainants)
  • High volumes of email, Teams/Slack messages and attachments
  • Heightened risk of accidental disclosure or inconsistent redactions

We help HR and leadership teams adopt a calm, proportionate approach that meets UK GDPR requirements, protects third-party rights, and creates a clear record of decisions.


How our subject access request support works

1) Intake and urgency check

You share the DSAR, key dates, and basic context (for example, employee / customer / former employee, and any dispute context). We confirm deadlines and agree next steps.

2) Scope and validity

We assess what is being asked for, whether clarification is appropriate, and what “in scope” means in practice for your organisation and systems.

3) Identify data sources and agree a proportionate search plan

We help you list systems and custodians and set a defensible approach to searching without creating unnecessary work.

4) Collect, reduce and organise the dataset

We support data collection, de-duplication, and structuring so review time is reduced and the response is easier to manage.

5) Review, redaction, and exemptions

We support consistent review, apply necessary redactions, and advise on exemptions/restrictions where relevant, including third-party rights.

6) Draft the response pack and issue securely

We help you deliver a clear response, with the right explanatory information, and keep a record of what you did and why.

7) Recommendations

We will provide you with a list of our findings and recommendations so that organisations are in a better place. This might be redrafting policies or suggesting further employee training. Each organisation is different.


Tools, security, and reducing the review burden

DSARs can become expensive when teams are forced to review large volumes of email threads, attachments, duplicates and irrelevant material.

Where appropriate, we use structured review methods and tools to:

  • Reduce duplicates and repeated threads
  • Keep review consistent across reviewers
  • Apply redactions accurately and consistently
  • Create a clear audit trail of work done

We have experience working with eDiscovery-style review platforms (including Everlaw) where this supports speed and quality control.


Timelines: how long does a subject access request take?

The statutory timeframe is usually 1 month, with a possible extension of up to 2 further months for complex requests or multiple requests — but you must manage the extension correctly and communicate it on time.


In practice, delivery time depends on:

  • How many systems and custodians are involved
  • Data volume (number of emails, files, messages, CCTV clips, etc.)
  • The amount of third-party information requiring redaction
  • Whether the DSAR overlaps with a dispute, investigation or legal issues

If your deadline is close, speak to us as early as possible so we can help you prioritise correctly.


Pricing, approach and ways to engage

We provide a fixed fee or day rate depending on the type of support you require and for how long. These projects often require additional help so we use paralegals to conduct the search and redaction process.

Tell us the deadline, systems involved, and estimated volume — we will confirm the best approach and provide a clear proposal.

View our pricing list


What we need from you (to start quickly)

To move fast, we typically ask for:

  • The DSAR wording (email/letter/message) and the date received
  • The identity/status of the requester (employee, customer, former employee, etc.)
  • A list of likely systems (email, HR platform, Teams/Slack, file shares, CCTV, devices)
  • Key custodians (who is likely to hold relevant personal data)
  • Any relevant policies or constraints (retention, legal hold, investigations)

If you are not sure, we can guide you through this as part of triage


Why WDPS

WDPS is a UK data protection consultancy providing legal and compliance support under UK GDPR and related laws. You will work with a qualified solicitor/barrister who understands both the legal risk and the operational reality of responding to DSARs.

We focus on:

  • Practical, proportionate responses that meet the law
  • Clear documentation and defensible decision-making
  • Protecting third-party rights and avoiding avoidable disclosure
  • Helping HR and leadership teams reduce disruption and stress

Learn more about WDPS here


Practical next steps

If your organisation is dealing with a DSAR or if you are reviewing your internal processes to improve readiness for future requests, we can discuss how support might be tailored to your circumstances.


Content reviewed by Clara Westbrook

Clara Westbrook is a qualified solicitor and non-practising barrister with over 25 years’ experience in data protection and commercial law.


She is the founder of Westbrook Data Protection Services Limited, a consultancy providing GDPR compliance advice, DSAR support, audits and contract reviews for organisations across the UK. Clara has previously held senior legal and compliance roles at Burberry, WarnerMedia, Richemont and IMS Health.


Speak to a solicitor about your subject access request

If you need help with a Subject Access Request, email us today. You can also call us on +44 (0)79769 39016 Please leave your details and we will be in touch.

Westbrook Data Protection Services Limited. 2nd Floor, Midas House, 62 Goldsworth Road Woking, Surrey,
GU21 6LQ

Guidance on Subject Access Requests


Frequently Asked Questions


How long do I have to respond to a DSAR in the UK?

1 month; possibly extended to an additional two months if you apply an extension for complex/multiple requests; this must be notified within the first month.

When does the 1 month deadline start?

From receipt of request, or if additional information is required from receipt of reasonably requested ID.

What common challenges do organisations face with DSARs?

Organisations often struggle with managing the volume and complexity of data, clarifying the scope of requests, mapping data sources, reviewing data for relevance and redaction, and preparing responses that meet statutory requirements.

When should an organisation seek external support for a DSAR?

External support is typically needed when requests are broad, complex, involve large volumes of data, overlap with legal or HR issues, internal resources are limited, or management requires assurance of compliance.

Can organisations refuse or charge for a DSAR?

An organisation can refuse a DSAR in limited circumstances, such as if the request is manifestly unfounded or excessive. Generally, organisations cannot charge a fee unless the request is repetitive or excessive, in which case a reasonable fee may be considered.

What tools are there for managing Subject Access Requests (DSARs)?

At WDPS we use Everlaw, an eDiscovery tool that shortens the process of responding to a DSAR by weeks. The process of collecting the data is the same, however once you add it to the eDiscovery tool you’re able to quickly review and redact information.