Respond to data subject access requests (DSARs)

How to handle data subject access requests under UK GDPR. Covers the one-month response deadline, identity verification, exemptions that allow redaction, extensions for complex requests, fee rules, and the new 'stop the clock' provision from the Data (Use and Access) Act 2025.

UK-wide
Guide summary

You must respond to requests for personal data within one month. Check the person's identity before sharing data. You can ask for more time if the request is complex or unclear. From June 2025, you can pause the deadline while waiting for clarification.

  • Respond within 1 month (can extend to 3 months for complex requests)
  • Check the person's identity before sharing data
  • Accept requests in any format (email, phone, social media)
  • Provide all personal data you hold about them
  • Explain how you use their data
  • From June 2025, pause deadline if you need clarification
  • Do not charge unless the request is unreasonable
  • Keep records of all requests and when you received them
  • Train staff to recognise requests
  • Releasing data to the wrong person is a data breach
On this page
UK-wide

Related guides in Compliance & Legal

A data subject access request (DSAR) is a request from an individual to see the personal data you hold about them. Under UK GDPR Article 15, people have the right to access their personal data, and you must respond within legal timeframes.

Getting DSARs wrong exposes your business to ICO enforcement action. Breach of data subject rights falls under the higher tier of UK GDPR fines.

Recognising a DSAR

A DSAR does not need to use specific wording or follow a particular format. You must treat any of these as a valid request:

  • Written requests - email, letter, online form, or social media message
  • Verbal requests - phone call or face-to-face conversation
  • Any clear expression of intent - "I want to see my data", "What do you have on me?", or "Send me everything you hold about me"

The person does not need to mention 'DSAR', 'subject access request', 'Article 15', or 'UK GDPR'. If their intent is clear, it's a valid request.

Train your staff to recognise DSARs. Requests may arrive through unexpected channels - customer service, social media, or informal conversations with managers.

Your legal deadline

You must respond within one calendar month from when you receive the request.

Standard deadline
One calendar month from receipt of request
Extension for complex requests
Can extend by a further two months (total three months)
Extension requirement
Must tell the individual within the first month if you need extra time, explaining why
Legislation
UK GDPR Article 12(3)

Calculating the deadline

The deadline falls on the corresponding date in the following month:

  • Request received 15 March - deadline 15 April
  • Request received 31 January - deadline 28/29 February (last day of month)
  • Request received 30 November - deadline 30 December

The clock starts when the request arrives, not when you begin processing it. Log all requests immediately with the date received.

The 'stop the clock' provision

From 19 June 2025, the Data (Use and Access) Act 2025 allows you to pause the response deadline when you need to ask for clarification.

Stop the clock
Response deadline pauses when you request clarification from the individual
Clock resumes
The day after you receive the clarification
Effective date
19 June 2025
Legislation
Data (Use and Access) Act 2025

This is useful when requests are unclear or extremely broad. For example:

  • Request asks for "all my data" across multiple systems - you can ask which records they actually need
  • Request doesn't identify the person clearly - you can ask for clarification
  • Request covers a very long time period - you can ask them to narrow the scope

Use reasonably: Do not use this provision to create unnecessary delays. Only request clarification when genuinely needed to fulfil the request effectively.

Verifying identity

Before releasing personal data, you must be confident the request comes from the right person. Releasing data to the wrong person is itself a data breach.

Proportionate verification

What counts as reasonable verification depends on the sensitivity of the data and how the request was made:

  • Low-risk data, known contact: If the request comes from an email address already on file, this may be sufficient
  • Medium-risk data: Ask them to confirm details only they would know - recent transaction, account number, address
  • High-risk data: For sensitive information, you may request photo ID - but this should be proportionate

Don't over-verify: Asking for certified passport copies to confirm a mailing list address would be excessive. Match the verification level to the risk.

Third party requests

Someone can make a DSAR on behalf of another person - a solicitor for a client, a parent for a child, or an employee representative. You must be satisfied they have authority to act.

Ask for:

  • Written authorisation from the data subject
  • Evidence of legal authority (power of attorney, court order)
  • For children under 13, evidence of parental responsibility

If in doubt, contact the data subject directly to confirm they want the data released to the third party.

What you must provide

A DSAR response must include both the personal data and supplementary information about how you process it:

Copy of personal data
All personal data you hold about them, in an accessible format
Purposes of processing
Why you are processing their data
Categories of data
What types of personal data you hold
Recipients
Who you have shared or will share the data with
Retention periods
How long you keep the data or criteria for determining this
Rights information
Their rights to rectification, erasure, restriction, objection, and to complain to the ICO
Data source
Where the data came from if not collected directly from them
Automated decisions
Any automated decision-making affecting them and the logic involved

Conducting reasonable searches

You must conduct a reasonable and proportionate search for personal data across all your systems. This includes:

  • Databases, CRM systems, and business applications
  • Email accounts (including archives)
  • Paper files and physical records
  • Backup systems
  • CCTV footage
  • HR records, finance systems, call recordings

The Data (Use and Access) Act 2025 clarified that searches should be "reasonable and proportionate" - you don't need to search every possible location exhaustively, but you must make genuine efforts to locate all relevant data.

Format of your response

Provide the information in a commonly-used electronic format if the request was made electronically. PDF, CSV, or structured exports from your systems are usually acceptable.

If the person requests a specific format and it's reasonable, you should try to comply. You don't need to build custom export tools.

When you can refuse or redact

UK GDPR and DPA 2018 contain exemptions that allow you to withhold some information. Apply these carefully - they are not blanket refusals.

Third party data
Redact personal data about other people unless they have consented or disclosure is reasonable without consent
Legal professional privilege
Confidential communications between lawyers and clients for legal advice
Confidential references
References you have given (not received) in confidence for employment, education, or training
Management forecasting
Planning information about negotiations or decisions that would be prejudiced by disclosure
Crime prevention
Data processed for preventing or detecting crime, if disclosure would prejudice those purposes
Manifestly unfounded or excessive
Requests that are clearly vexatious, repetitive, or unreasonable (high bar to prove)

Apply exemptions carefully:

  • Exemptions apply to specific pieces of information, not whole documents
  • Redact the exempt parts and provide the rest
  • Always consider whether a partial response is possible
  • Document your reasoning for applying each exemption

If you refuse or redact, explain why to the individual and inform them of their right to complain to the ICO.

Fees

Subject access requests are free in most cases.

Standard DSAR
Free of charge
Manifestly unfounded or excessive
You can charge a reasonable fee OR refuse to act
Reasonable fee
Based on administrative costs of providing the information
Further copies
If they request additional copies of the same data, you can charge a reasonable fee
Burden of proof
You must demonstrate the request is manifestly unfounded or excessive

What makes a request 'manifestly unfounded or excessive'?

This is a high bar. Examples that might qualify:

  • Manifestly unfounded: The person clearly has no intention to exercise their rights - making threats or demands unrelated to data access
  • Excessive: Repetitive requests - the same person requesting identical data weekly without good reason

Size alone is not enough: A large request for substantial data is not automatically excessive. The test considers whether the request is reasonable in the circumstances, not the volume of work involved.

Step-by-step DSAR response process

Follow these steps for every data subject access request:

  1. 1

    Log the request immediately

    Record the date received - this starts your one-month clock. Note the communication channel and any reference numbers.

  2. 2

    Verify identity if needed

    If you're not certain the request is genuine, ask for proportionate verification. The clock pauses until identity is confirmed.

  3. 3

    Ask for clarification if unclear

    If the request is vague or extremely broad, ask the person to specify what they need. From June 2025, the clock pauses until they respond.

  4. 4

    Search all relevant systems

    Conduct reasonable and proportionate searches across databases, email, paper files, backups, and any other systems holding their data.

  5. 5

    Review for exemptions

    Check whether any exemptions apply. Redact third-party data and apply other exemptions only where clearly justified.

  6. 6

    Compile your response

    Gather the personal data plus supplementary information (purposes, categories, recipients, retention, rights, sources, automated decisions).

  7. 7

    Respond within the deadline

    Send your response within one calendar month. If you need an extension, notify within the first month explaining why.

  8. 8

    Document your actions

    Record what searches you conducted, what you provided, any exemptions applied, and when you responded. Keep this for accountability.

If the individual is not satisfied

From 19 June 2025, organisations must have an internal complaint-handling mechanism for data rights requests. You must acknowledge complaints within 30 days.

If the individual remains dissatisfied after your internal process:

  • Inform them of their right to complain to the ICO
  • The ICO can investigate and order you to take specific actions
  • The ICO can issue enforcement notices and fines

Penalties for getting it wrong

Failing to respond correctly to DSARs can result in significant penalties. Breach of data subject rights falls under the higher tier of UK GDPR fines:

Higher tier maximum
Up to 17.5 million GBP or 4% of annual worldwide turnover, whichever is higher
Applies to
Breach of data subject rights including access requests (UK GDPR Articles 12-22)
ICO approach
Fines should be effective, proportionate, and dissuasive

Common compliance failures that trigger enforcement:

  • Not responding within one month
  • Providing incomplete information
  • Applying exemptions incorrectly or too broadly
  • Failing to recognise a valid DSAR
  • Charging fees when not permitted
  • Not telling the individual about their right to complain

Official guidance