DSARs are a legal right under UK GDPR. Ignoring them, or failing to deal properly with them, can lead to severe penalties and reputational damage. Proactive compliance safeguards your organisation and demonstrates accountability to clients and regulators.
A Data Subject Access Request (DSAR) is a formal request from an individual to access the personal data your organisation holds about them. Under UK GDPR and the Data Protection Act 2018, you must:
- Confirm if personal data is being processed
- Provide a copy of the data and explain how it’s used, who it’s shared with, and how long it’s kept
- Respond within one month, free of charge (extensions apply for complex cases)
- Ensure responses are clear, secure, and compliant.
DSARs are a cornerstone of transparency and accountability in data protection. Mishandling them can lead to serious consequences.
Your legal obligations
Organisations must:
- Recognise requests: Accept DSARs through any channel, even informal ones
- Verify identity: Ensure the requester is who they claim to be
- Respond promptly: Provide the requested information usually within one month
- Provide full details: Include copies of personal data, processing purposes, retention periods, and recipients
- No charge: Responses are free unless requests are manifestly unfounded or excessive
- Ensure security: Deliver information in a clear, secure format
- Keep records: Log all DSARs for compliance and audit purposes
- Train staff: Make sure employees can identify and escalate requests.
Meeting these obligations protects individuals’ rights and helps you avoid regulatory penalties.
Consequences of ignoring a DSAR
Failing to manage DSARs properly can result in:
- Regulatory fines: Up to ÂŁ17.5 million or 4% of global turnover
- Enforcement action: ICO can issue formal notices or restrict data processing
- Legal claims: Individuals may seek compensation for distress or misuse of data
- Criminal liability: Deliberate refusal to comply can lead to prosecution
- Reputational damage: Public enforcement erodes trust and impacts brand credibility
- Operational disruption: Investigations and legal challenges drain resources.
How can we support you?
Managing DSARs can be complex and time-consuming. We provide expert, pragmatic support to keep you compliant and protected:
- DSARs: Handle any DSARs you have on your behalf or provide advice to you on an ad hoc basis, using e-discovery platforms where appropriate
- Policy development: Create clear DSAR handling procedures aligned with UK GDPR
- Risk management: Identify exemptions, redact sensitive data, and avoid breaches
- Training: Equip staff to recognise and manage DSARs effectively
- Audit and documentation: Maintain accurate records for accountability and regulatory reviews
- Dispute resolution: Handle complaints or ICO investigations if issues arise.
Our approach is proactive, commercially focused, and tailored to your organisation’s needs.
Get in Touch
You may also be interested in
Data Protection servicesComplaints
Ignoring data privacy complaints risks regulatory action, fines, and reputational harm. Proactive handling demonstrates accountability, protects client trust, and ensures compliance in an environment where privacy standards are under constant scrutiny.
Data Privacy Breaches
Data breaches can trigger severe fines, legal claims, and reputational damage. Acting fast and prioritising compliance protects your business, minimises disruption, and preserves client trust in an increasingly regulated environment.
Privacy and Electronic Communications Regulations
Privacy and Electronic Communications Regulations govern marketing, cookies, and telecoms security. Ignoring compliance risks fines up to ÂŁ17.5m, ICO enforcement, and costly remediation. Proactive action protects your business and avoids severe financial consequences.
Meet Our Specialists
Discover the experienced professionals driving our service, offering clear, commercially astute guidance with a supportive, solution‑oriented mindset.
