Search

How can we help?

Privacy and Data Protection

Subject access requests

 

Individuals have numerous rights under UK GDPR and the Data Protection Act 2018.  Most notably:

  • The right to be informed (this information is usually set out in a privacy notice)
  • The right to request access to their personal data
  • The right to have inaccurate or incomplete data rectified
  • The right to be forgotten
  • The right to restrict processing
  • The right to object to processing
  • The right to receive personal data they have provided in a structured, commonly used and machine-readable format and to transmit this without hindrance; and
  • Rights related to automated decision making

The most common right exercised is the right of access.

Understanding DSARs

Individuals have a right to request access to their personal data which is held by organisations acting as data controllers. They can do this via a “Data Subject Access Request” (known as DSARs or SARs).

If a DSAR is made, then the data controller must give the individual certain information about the processing of their personal data and must give them access to their personal data (save for in limited circumstances provided for by the legislation).

Given the amount of personal data which can be held across a number of different sources – both electronic (such as emails and computer systems) and physical (such as employee personnel files) – this can be a very intimidating task.

Why You Need a Solicitor

It can be incredibly daunting both making and responding to a DSAR.

Individuals need to be confident about what they can ask for, how they make a request and what they can do if they are not satisfied with the outcome or processing activities.

For organisations search efforts to uncover personal data are often extensive and result in volumes of documents being returned which usually need to be sifted through and carefully redacted taking into account obligations of privacy to third parties and other factors.  A response then needs to be provided to the individual who made the request, containing certain prescribed information.

Organisations need to ensure they understand how to carry out the search appropriately, what they can ask for from the data subject, how they should handle the information received and what they should be sending at the end of it all.

Fortunately, we are experts in assisting clients on all aspects of the DSAR process.  We also have expertise in making these requests on behalf of individuals.

For Individuals:

Our solicitors can guide you through the DSAR process from beginning to end. We can work with you to understand what information you need and help you draft your DSAR request to the data controller.  We can review the response to the DSAR and assist you with next steps, such as making a complaint to the ICO should this be required.

For Businesses:

Our solicitors can help you navigate the entire DSAR process.  We can:

  • Provide advice and guidance when you first receive a DSAR
  • Advise you on your search for personal data including your legal obligations in relation to this
  • Review your search results and consider any exemptions that apply
  • Undertake the redactions process for you, helping you to comply with your legal obligations to the data subject and to third parties
  • Draft letters for you as part of the process, including the letter to the data subject setting out the statutory information you are required to provide
  • Assist you in dealing with any complaints raised about your handling of personal data including responding to any complaints made to the ICO.

Dealing with DSARs can be an onerous and time consuming task but our team can take on some of the burden for you and help you comply with your legal obligations.

Why it’s important to get DSARs right?

For individuals it is important to get a DSAR right as you want to ensure you receive the information you are seeking so you can check this is being properly processed.

For organisations, a failure to properly respond to a DSAR can lead to complaints to the ICO or Courts which, in turn, can lead to hefty fines and compensation.  There will also be added risks for businesses aside from financial considerations, such as negative publicity.

How we can help your business deal with future requests?

It’s important to be prepared!

We can help you assess your policies and procedures for dealing with DSAR requests and can provide bespoke training, adapted to your business and needs, to ensure you have effective mechanisms in place to deal with DSARs should you receive these in the future.

Contact Our Expert Data Protection Solicitors

If you need any assistance with DSARs, please do get in contact with our data protection team who will be happy to help.

 

“Very professional, knowledgeable and accessible lawyers.” 

Chambers and Partners

FAQs – Subject access requests

Any individual who may be identified from any form of document, whether directly or indirectly, is a data subject. This is a key concept used to determine what data falls under the category of ‘personal data’. Data subjects have certain rights under the UK GDPR.

A data subject access request (DSAR) is a request made by an individual to:

  • Obtain confirmation from an organisation that it is processing their personal data
  • Access their personal data held by an organisation
  • Receive other information concerning this data and its processing purposes

Any data subject (the identified or identifiable living individual to whom personal data relates) has the right to make a DSAR. We see these being made frequently in the employment context, whereby an employee submits a DSAR to their past or present employer.

As a first step the identity of the individual submitting the DSAR must be verified. The validity of the request should be checked and relevant personal data must then be collected and provided to the data subject, possibly in an amended format.

An organisation must respond to a DSAR “without undue delay” and within one month of the request being received. This deadline may be extended up to three months in total if the request is a complex one, or if an individual has submitted several DSARs to the same organisation.

Responses to DSARs must be provided free of charge, unless the requests are “manifestly unfounded or excessive”, in which case the organisation may charge a reasonable fee or refuse to act on the request (but this decision may be subject to a review by the Information Commissioner’s Office).

Responding to a DSAR can be time-consuming and expensive, which is why a DSAR is sometimes made as a tactical strategy in a dispute between an individual and an organisation.

A DSAR is a fundamental right under the UK GDPR. The UK GDPR regulates the way organisations handle personal data and it is important for organisations to comply with the UK GDPR’s requirements when responding to DSARs.

Key contacts

Louise Keenan

Associate

View profile

+44 118 960 4614

Read, listen and watch our latest insights

art
  • 20 January 2025
  • Employment

AI Opportunities Action Plan – The impact of AI on employment

The Government has announced its ‘AI Opportunities Action Plan’ in which it plans to increase the use of AI across the UK to ensure the UK is a world leader in the field. 

art
  • 16 January 2025
  • Corporate and M&A

Business Asset Disposal Relief: Changes to CGT Relief and the Consequences for Business Owners

Developing a robust cybersecurity strategy is essential to ensuring value retention, securing sensitive data, minimising risks and a seamless transfer during and after the merger or acquisition.

Pub
  • 10 January 2025
  • Privacy and Data Protection

UK Data Protection: What happened in 2024 and what’s in store in 2025?

It’s been a year of political change and uncertainty for data protection. Join our data protection webinar, where we will discuss the implications of the Data Protection and Digital Information Bill not passing and the upcoming Digital Information and Smart Data Bill from the King’s Speech, which will affect existing laws.

art
  • 06 January 2025
  • Privacy and Data Protection

WhatsApp in the Workplace

This article explores the potential risks of using WhatsApp for workplace communications, the implications for GDPR compliance and under UK legislation, and provides practical tips for employers to mitigate these risks.

art
  • 16 December 2024
  • Privacy and Data Protection

Recognising DSARs: top tips for organisations

The UK GDPR grants Data Subjects, who are the individuals to whom the personal data relates, rights over their personal data, including the rights of access, correction and erasure.

art
  • 10 December 2024
  • Corporate and M&A

The value of cyber security for mergers and acquisitions

Developing a robust cybersecurity strategy is essential to ensuring value retention, securing sensitive data, minimising risks and a seamless transfer during and after the merger or acquisition.