Data Subject Access Request (DSAR) — Handling Requests Correctly So You Stay Compliant

Data Subject Access Requests are among the most burdensome compliance obligations organisations face, and the combination of the one-month response window, the breadth of information potentially in scope, and the legal consequences of a deficient response makes them a genuine operational and legal challenge. I advise organisations on handling DSARs correctly — whether that means managing a straightforward request efficiently, dealing with a complex multi-system search, or defending a challenge to a refusal or restriction. I also advise individuals who believe their DSAR has been mishandled. The most common errors I see in DSAR handling are: failing to identify all personal data in scope across all systems (email, CRM, HR records, CCTV, instant messaging), failing to complete the review and redaction process within the one-month window, applying exemptions incorrectly or without the required balancing test, and providing data in an unnecessarily difficult format. Any of these errors can result in an ICO complaint, an enforcement notice, or a civil claim. I advise on all stages of DSAR handling and can step in at any point if a request is causing difficulty. For complex DSARs — particularly those from former employees, litigants, or individuals who may be building an evidence base for future legal proceedings — the exemptions available under the DPA 2018 are important. The legal professional privilege exemption, the litigation exemption, and the third-party rights exemption each have specific conditions and applying them correctly requires legal judgment. I review the data in scope, advise on appropriate exemptions, draft the response letter, and prepare a defensible record of the decisions made in case the ICO or a court later reviews the process. How It Works 1. Request received and scope of personal data assessed 2. All relevant systems searched and data collated 3. Exemptions assessed and redaction decisions documented 4. Response prepared within one-month statutory deadline 5. ICO complaint defence or Tribunal appeal if response challenged What You Get - DSAR scope assessment and systems search guidance - Exemption application and redaction review - Response letter and disclosable data package prepared - ICO complaint defence if DSAR handling challenged FAQ Q: Can I refuse a DSAR? A: You can refuse or restrict a request that is manifestly unfounded or manifestly excessive, but the threshold is high. You must document your reasons. I advise on whether a request meets the threshold. Q: Do I have to provide CCTV footage in a DSAR response? A: Yes, if the footage clearly identifies the requestor as a data subject. I advise on how to provide footage while protecting third-party privacy rights through blurring or redaction. Q: What is the manifestly unfounded or excessive exemption? A: If a request is clearly made to harass, has no purpose beyond disruption, or is a repeat of a recent identical request, it may be refused or a reasonable fee charged. The bar is high and I advise on whether it applies.