The right of access is one of the most powerful tools available to individuals under UK data protection law. For organisations, handling data subject access requests efficiently and lawfully has become a critical compliance function-and the Data Use and Access Act 2025 has introduced significant clarifications that every UK business needs to understand.
This guide breaks down what DSARs are, how the law has changed, and how your organisation can build a compliant, sustainable approach to managing requests.
What is a Data Subject Access Request (DSAR)?
A data subject access request, commonly referred to as a DSAR, is a formal mechanism allowing any individual to obtain all the information an organisation holds about them. Under Article 15 UK GDPR and Part 3 of the Data Protection Act 2018, a data subject can require a data controller to confirm whether their personal data is being processed and, if so, provide a copy of that data along with supplementary information.
A DSAR allows individuals to access information about their personal data that an organisation is processing, including the purposes of processing and the categories of data held. DSARs serve as a prerequisite to exercising other privacy rights, such as data rectification, restriction, or erasure (the “right to be forgotten”). They also allow individuals to verify the accuracy of their data, understand its usage, and request corrections or deletions.
Why DSARs matter:
Any data subject can check the lawfulness of data processing
DSARs help individuals challenge decisions made about them
Requests can be used to prepare for complaints, grievances, or litigation
The right applies regardless of the data subject’s relationship with the organisation (employee, customer, patient, student)
In UK regulatory guidance, DSAR, SAR, and “right of access request” are used interchangeably. Throughout this article, we use DSAR for consistency.
DSARs after the Data Use and Access Act 2025
The Data Use and Access Act 2025 (DUAA 2025) received Royal Assent on 19 June 2025, with most DSAR-related provisions coming into force on 5 February 2026. DUAA 2025 amends-rather than replaces-the existing UK GDPR framework, introducing welcome clarity on several operational pain points.
Key changes under DUAA 2025:
Stop-the-clock mechanism: Organisations can now pause the one-month response deadline while awaiting information needed to verify the data subject’s identity or clarify the scope of the request. Once that information is received, the clock resumes. This is now statutory rather than reliant on ICO guidance.
Reasonable and proportionate searches: DUAA 2025 codifies that DSAR responses must be based on reasonable searches. Organisations are no longer expected to conduct exhaustive searches across every legacy system, archive, or backup-provided they can justify exclusions based on proportionality, cost, and relevance. Timelines for responding to DSARs have been clarified to require reasonable searches in response to requests, mitigating the burden on businesses.
Manifestly excessive clarifications: The Act provides clearer guidance on when a request is manifestly excessive. Factors include repetitive character, overlap with previous requests, volume, whether information is already in the requester’s possession, and resource burden on the controller.
Enhanced record-keeping: Organisations must now document decisions throughout the DSAR process-particularly where requests are refused, fees are charged, or exemptions applied. This creates a clear audit trail for Information Commissioner’s Office investigations.
Automated decision making provisions: Where processing involves AI or profiling, organisations must explain the logic, significance, and envisaged consequences in their DSAR response. DUAA 2025 introduces expanded grounds for automated decision making while reinforcing data subject rights to explanation and human intervention.
What information can a data subject request?
Under the GDPR, individuals have the right to access their personal data and to know how it is being processed, including the purposes of processing and the categories of data involved. A DSAR entitles them to:
Confirmation that their personal data is being processed
A copy of personal data relating to them
Supplementary information: processing purposes, categories of data, recipients, retention periods, source of the data, and existence of automated decision making
The GDPR stipulates that individuals have the right to request the rectification of inaccurate personal data and to request the deletion of their data under certain conditions, known as the right to erasure.
Scope of requests:
A data subject can request all the information held about them or specify particular data (e.g., “emails between me and my line manager between January 2024 and March 2025”)
Requests can cover HR files, CCTV footage, call recordings, medical records, meeting notes, disciplinary records, and any other personal information
There is no statutory time limit on how far back a request can go-but your data retention policies will limit what actually exists
Practical considerations:
Requests do not need to use specific form or mention “DSAR,” “SAR,” or data protection legislation to be valid
“Please send me all the information you hold about me” is a valid request
DUAA 2025 encourages layered, intelligible responses where large volumes of data are involved
How can a data subject make a DSAR?
Individuals can submit a DSAR in writing or verbally, and organisations are obligated to recognise and respond to these requests regardless of the format used. Valid channels include:
Email or letter
Online forms or web chat
Social media messages
Phone calls or in-person conversations
Who can make a request:
Any data subject-employees, customers, patients, students, or members of the public
Authorised representatives (solicitors, parents, trade union reps) acting on behalf of the data subject, with supporting evidence of authority
Individuals can submit a DSAR without needing to provide a reason, and organisations must respond to these requests within one month, with a possible extension of two months for complex requests
Verifying identity:
To verify the identity of an individual making a DSAR, organisations should use reasonable measures, such as email verification or photo identification, without requesting more information than necessary. This is a proportionality test-don’t ask for a copy of a passport if you can verify identity from existing account credentials.
Children’s DSARs:
Where a child makes a request, consider whether they have capacity to understand the request and its implications. In certain circumstances, a person with parental responsibility may need to be involved-but always consider the child’s best interests.
Operational tips:
Publish clear DSAR contact details (including home address and email) in your privacy notice
Train all front-line staff-HR, customer service, reception-to recognise and escalate data subject requests
Treat any request that seeks access to personal data as a DSAR, regardless of which department receives it
Timescales, excessive requests and when you can say “no”
Organisations must respond to a DSAR without undue delay and within one calendar month of receiving the request. Where the request is complex or you receive multiple requests from the same person, you may extend this by up to two further months-but you must notify the data subject of the extension and the reasons before the end of the initial one-month period.
When does the clock start?
On receipt of the request, or
Once you have received reasonable ID verification or clarification (DUAA 2025 stop-the-clock rules apply)
Charging a fee:
Organisations are generally not allowed to charge a fee for a DSAR, but they can charge a reasonable fee for administrative costs if the request is manifestly unfounded or excessive. A small fee may be applied to multiple or excessive requests to prevent individuals from repeatedly submitting unnecessary DSARs, but organisations should not profit from these fees. If a fee is charged, organisations should develop clear criteria for determining what constitutes a reasonable fee and explain these costs to the individual making the request.
Manifestly unfounded and manifestly excessive requests:
Requests can only be refused if they are manifestly unfounded or excessive, or if explicit legal exemptions apply. Factors include:
Repetitive DSARs at unreasonable intervals asking for the same irrelevant information
Clear evidence of harassment or tactical abuse (e.g., real intention is to disrupt rather than access personal data)
Volume and overlap with previous responses
Evidence that information is already in the requester’s possession
Lawful grounds for refusal:
Applicable exemptions under the Data Protection Act 2018 (e.g., legal professional privilege, confidential references, national security)
Disproportionate searches where no reasonable search would locate relevant information
Clear abuse of rights
If an organisation refuses to comply with a DSAR, it must provide a valid reason for the refusal and inform the individual of their right to complain to the supervisory authority (the ICO) or seek judicial remedy.
Consequences of failure:
Failure to comply with DSARs can lead to significant administrative fines under GDPR, reaching up to €20 million or 4% of annual global turnover. ICO enforcement action and reputational damage are also serious risks-SAR complaints rose 23% year-on-year in recent reporting periods.
What should be included in a DSAR response?
A compliant DSAR response must include:
Confirmation that the organisation processes the data subject’s personal information
A copy of personal data (in an intelligible, commonly used format)
Supplementary information: purposes of processing, categories of data, recipients or categories of recipients, retention periods or criteria, source of data, existence of automated decision making and profiling
Redactions and exemptions:
Organisations must redact information containing personal data of others when responding to a DSAR, unless consent is given for disclosure. Other exemptions under UK law include:
Legal professional privilege (now explicit under law enforcement regime via DUAA 2025)
Confidential references given or received for employment or education
Information whose disclosure would cause serious harm
Certain information relating to management information or planning, where it does not constitute personal data about the data subject
You are not required to disclose information that is wholly unrelated to the data subject-but you must provide evidence of any personal data embedded within internal documents.
Format and delivery:
PDFs, secure portals, or encrypted email are all appropriate delivery methods
For large volumes of email data, consider layered responses: summaries first, with detailed data available on request
DUAA 2025 expects clear, plain-English explanations of complex processing and profiling activities
How organisations should handle DSARs in practice
A robust DSAR workflow is essential for compliance. Here is a practical step-by-step process:
Recognise the request: Any communication asking for personal data should be treated as a DSAR, regardless of format or department receiving it.
Log the request: Record the date, channel, and details immediately.
Verify identity: Use reasonable measures to confirm the data subject’s identity before proceeding.
Clarify scope: If the request is broad or unclear, ask for further information to narrow the search (stop-the-clock applies here).
Search relevant systems: Conduct a reasonable search across HR records, email, CRM, CCTV, and any other systems likely to hold personal data.
Review and redact: Apply exemptions, redact third-party personal data, and ensure only relevant information is included.
Approve and send: Secure sign-off from your Data Protection Officer or equivalent lead, then deliver the response in a secure format.
Record-keeping under DUAA 2025:
Maintain a DSAR register with dates, decisions, and communications
Document which systems were searched, which were excluded, and why
Evidence any pauses (stop-the-clock), extensions, or refusals
Common problem areas:
Data proliferation across legacy systems, shadow IT, and third-party processors
Large volumes of unstructured email, Teams/Slack chats, and instant messages
Coordination between HR, Legal, IT, and Customer Services
Practical tips:
Develop internal playbooks, checklists, and DSAR templates for employees, customers, and special category data (e.g., health data)
Assign clear accountability-ideally to your Data Protection Officer or a nominated lead
Common DSAR challenges under DUAA 2025
DUAA 2025’s clarifications are welcome, but they also raise the bar for compliance. Organisations can expect:
Increased scrutiny: The ICO is actively monitoring DSAR compliance, with over 16,000 SAR complaints in a recent reporting period.
Higher volumes: As awareness grows, more individuals will exercise their fundamental right to access their data.
Complex redaction: Reviewing and redacting thousands of emails, instant messages, and Teams/Slack chats for a single DSAR-especially in contentious HR or litigation contexts-remains a major operational burden.
AI and automated processing: Explaining the logic, significance, and envisaged consequences of profiling in a DSAR response is now a regulatory expectation. Organisations deploying AI must ensure their systems and records can support those explanations.
Coordinating with HR and Legal: DSARs that overlap with grievances, whistleblowing, disciplinary, or procurement disputes require careful management to avoid breaching data subject rights or prejudicing ongoing processes.
Real-world examples:
A university receives a DSAR from a former student requesting “all correspondence and personal data since admission”-a search spanning multiple systems and years.
An employer faces a DSAR from an employee involved in a disciplinary process, requesting all emails and file notes involving named managers.
A public sector body must respond to a DSAR involving special category data and health data, with multiple exemptions and redaction requirements.
Data Privacy Services: DSAR Management Services for UK organisations
Data Privacy Services (trading name of Data Privacy and Data Security Services Ltd) is a UK-based data protection and information security consultancy supporting organisations with GDPR compliance, including complex DSAR handling.
Our DSAR Management Services offer an outsourced or co-sourced solution for managing data subject requests-helping you meet legal deadlines, reduce risk, and maintain demonstrable compliance.
What we offer:
Full DSAR lifecycle support: triage, searches, application of exemptions, redaction, packaging, and secure delivery
ISO 27001-certified experts with deep knowledge of UK GDPR and DUAA 2025
Support for both ad hoc DSARs and ongoing high volumes
Specialist handling for complex employee DSARs, multi-jurisdiction requests, and requests involving special category data
Outsourcing DSAR handling can help organisations manage complex requests more efficiently, especially if they lack in-house expertise or resources. Organisations that receive a high volume of DSARs may benefit from outsourcing, as it can reduce the burden on internal resources and ensure compliance with response deadlines. Engaging an outsourced DSAR service can provide organisations with access to expert knowledge and tools, which can streamline the entire process and improve GDPR compliance.
Get in touch:
Request a Free GDPR Audit
Contact us about DSAR Management Services, DPO as a Service, or CISO-as-a-Service support
Building a sustainable DSAR and data protection framework
Effective DSAR handling depends on wider data protection practices. Most organisations that struggle with DSARs also have gaps in:
Data mapping and Records of Processing Activities (RoPA)
Data retention and deletion policies
Information security controls and access management
How Data Privacy Services can help:
Design DSAR policies, procedures, and staff training tailored to your sector
Integrate DSAR workflows with broader GDPR compliance, ISO 27001, and cyber security programmes
Conduct DSAR readiness reviews or mock requests to test your processes before high-stakes or high-volume requests arrive
Looking ahead:
Between 2023 and 2026, organisations in healthcare, local government, financial services, and education have matured their DSAR capabilities in response to regulatory pressure and rising request volumes. The most successful have embedded DSAR handling within a culture of privacy by design and continuous improvement.
Next steps:
If you want to ensure your organisation is ready for DSARs under DUAA 2025, contact Data Privacy Services for tailored DSAR and data protection consultancy. We help you respond in a timely manner, meet your legal obligations, and demonstrate compliance to the Information Commissioner’s Office-on a case by case basis or as part of an ongoing partnership.