Guide
Respond to data subject access requests (DSARs)
How to handle data subject access requests under UK GDPR. Covers the one-month response deadline, identity verification, exemptions that allow redaction, extensions for complex requests, fee rules, and the new 'stop the clock' provision from the Data (Use and Access) Act 2025.
A data subject access request (DSAR) is a request from an individual to see the personal data you hold about them. Under UK GDPR Article 15, people have the right to access their personal data, and you must respond within legal timeframes.
Getting DSARs wrong exposes your business to ICO enforcement action. Breach of data subject rights falls under the higher tier of UK GDPR fines.
Recognising a DSAR
A DSAR does not need to use specific wording or follow a particular format. You must treat any of these as a valid request:
- Written requests - email, letter, online form, or social media message
- Verbal requests - phone call or face-to-face conversation
- Any clear expression of intent - "I want to see my data", "What do you have on me?", or "Send me everything you hold about me"
The person does not need to mention 'DSAR', 'subject access request', 'Article 15', or 'UK GDPR'. If their intent is clear, it's a valid request.
Train your staff to recognise DSARs. Requests may arrive through unexpected channels - customer service, social media, or informal conversations with managers.
Your legal deadline
You must respond within one calendar month from when you receive the request.
- Standard deadline
- One calendar month from receipt of request
- Extension for complex requests
- Can extend by a further two months (total three months)
- Extension requirement
- Must tell the individual within the first month if you need extra time, explaining why
- Legislation
- UK GDPR Article 12(3)
Calculating the deadline
The deadline falls on the corresponding date in the following month:
- Request received 15 March - deadline 15 April
- Request received 31 January - deadline 28/29 February (last day of month)
- Request received 30 November - deadline 30 December
The clock starts when the request arrives, not when you begin processing it. Log all requests immediately with the date received.
The 'stop the clock' provision
From 19 June 2025, the Data (Use and Access) Act 2025 allows you to pause the response deadline when you need to ask for clarification.
- Stop the clock
- Response deadline pauses when you request clarification from the individual
- Clock resumes
- The day after you receive the clarification
- Effective date
- 19 June 2025
- Legislation
- Data (Use and Access) Act 2025
This is useful when requests are unclear or extremely broad. For example:
- Request asks for "all my data" across multiple systems - you can ask which records they actually need
- Request doesn't identify the person clearly - you can ask for clarification
- Request covers a very long time period - you can ask them to narrow the scope
Use reasonably: Do not use this provision to create unnecessary delays. Only request clarification when genuinely needed to fulfil the request effectively.
Verifying identity
Before releasing personal data, you must be confident the request comes from the right person. Releasing data to the wrong person is itself a data breach.
Proportionate verification
What counts as reasonable verification depends on the sensitivity of the data and how the request was made:
- Low-risk data, known contact: If the request comes from an email address already on file, this may be sufficient
- Medium-risk data: Ask them to confirm details only they would know - recent transaction, account number, address
- High-risk data: For sensitive information, you may request photo ID - but this should be proportionate
Don't over-verify: Asking for certified passport copies to confirm a mailing list address would be excessive. Match the verification level to the risk.
Third party requests
Someone can make a DSAR on behalf of another person - a solicitor for a client, a parent for a child, or an employee representative. You must be satisfied they have authority to act.
Ask for:
- Written authorisation from the data subject
- Evidence of legal authority (power of attorney, court order)
- For children under 13, evidence of parental responsibility
If in doubt, contact the data subject directly to confirm they want the data released to the third party.
What you must provide
A DSAR response must include both the personal data and supplementary information about how you process it:
- Copy of personal data
- All personal data you hold about them, in an accessible format
- Purposes of processing
- Why you are processing their data
- Categories of data
- What types of personal data you hold
- Recipients
- Who you have shared or will share the data with
- Retention periods
- How long you keep the data or criteria for determining this
- Rights information
- Their rights to rectification, erasure, restriction, objection, and to complain to the ICO
- Data source
- Where the data came from if not collected directly from them
- Automated decisions
- Any automated decision-making affecting them and the logic involved
Conducting reasonable searches
You must conduct a reasonable and proportionate search for personal data across all your systems. This includes:
- Databases, CRM systems, and business applications
- Email accounts (including archives)
- Paper files and physical records
- Backup systems
- CCTV footage
- HR records, finance systems, call recordings
The Data (Use and Access) Act 2025 clarified that searches should be "reasonable and proportionate" - you don't need to search every possible location exhaustively, but you must make genuine efforts to locate all relevant data.
Format of your response
Provide the information in a commonly-used electronic format if the request was made electronically. PDF, CSV, or structured exports from your systems are usually acceptable.
If the person requests a specific format and it's reasonable, you should try to comply. You don't need to build custom export tools.
When you can refuse or redact
UK GDPR and DPA 2018 contain exemptions that allow you to withhold some information. Apply these carefully - they are not blanket refusals.
- Third party data
- Redact personal data about other people unless they have consented or disclosure is reasonable without consent
- Legal professional privilege
- Confidential communications between lawyers and clients for legal advice
- Confidential references
- References you have given (not received) in confidence for employment, education, or training
- Management forecasting
- Planning information about negotiations or decisions that would be prejudiced by disclosure
- Crime prevention
- Data processed for preventing or detecting crime, if disclosure would prejudice those purposes
- Manifestly unfounded or excessive
- Requests that are clearly vexatious, repetitive, or unreasonable (high bar to prove)
Apply exemptions carefully:
- Exemptions apply to specific pieces of information, not whole documents
- Redact the exempt parts and provide the rest
- Always consider whether a partial response is possible
- Document your reasoning for applying each exemption
If you refuse or redact, explain why to the individual and inform them of their right to complain to the ICO.
Fees
Subject access requests are free in most cases.
- Standard DSAR
- Free of charge
- Manifestly unfounded or excessive
- You can charge a reasonable fee OR refuse to act
- Reasonable fee
- Based on administrative costs of providing the information
- Further copies
- If they request additional copies of the same data, you can charge a reasonable fee
- Burden of proof
- You must demonstrate the request is manifestly unfounded or excessive
What makes a request 'manifestly unfounded or excessive'?
This is a high bar. Examples that might qualify:
- Manifestly unfounded: The person clearly has no intention to exercise their rights - making threats or demands unrelated to data access
- Excessive: Repetitive requests - the same person requesting identical data weekly without good reason
Size alone is not enough: A large request for substantial data is not automatically excessive. The test considers whether the request is reasonable in the circumstances, not the volume of work involved.
Step-by-step DSAR response process
Follow these steps for every data subject access request:
-
Log the request immediately
Record the date received - this starts your one-month clock. Note the communication channel and any reference numbers.
-
Verify identity if needed
If you're not certain the request is genuine, ask for proportionate verification. The clock pauses until identity is confirmed.
-
Ask for clarification if unclear
If the request is vague or extremely broad, ask the person to specify what they need. From June 2025, the clock pauses until they respond.
-
Search all relevant systems
Conduct reasonable and proportionate searches across databases, email, paper files, backups, and any other systems holding their data.
-
Review for exemptions
Check whether any exemptions apply. Redact third-party data and apply other exemptions only where clearly justified.
-
Compile your response
Gather the personal data plus supplementary information (purposes, categories, recipients, retention, rights, sources, automated decisions).
-
Respond within the deadline
Send your response within one calendar month. If you need an extension, notify within the first month explaining why.
-
Document your actions
Record what searches you conducted, what you provided, any exemptions applied, and when you responded. Keep this for accountability.
If the individual is not satisfied
From 19 June 2025, organisations must have an internal complaint-handling mechanism for data rights requests. You must acknowledge complaints within 30 days.
If the individual remains dissatisfied after your internal process:
- Inform them of their right to complain to the ICO
- The ICO can investigate and order you to take specific actions
- The ICO can issue enforcement notices and fines
Penalties for getting it wrong
Failing to respond correctly to DSARs can result in significant penalties. Breach of data subject rights falls under the higher tier of UK GDPR fines:
- Higher tier maximum
- Up to 17.5 million GBP or 4% of annual worldwide turnover, whichever is higher
- Applies to
- Breach of data subject rights including access requests (UK GDPR Articles 12-22)
- ICO approach
- Fines should be effective, proportionate, and dissuasive
Common compliance failures that trigger enforcement:
- Not responding within one month
- Providing incomplete information
- Applying exemptions incorrectly or too broadly
- Failing to recognise a valid DSAR
- Charging fees when not permitted
- Not telling the individual about their right to complain