Demystifying Data Subject Access Requests

One year on from the introduction of the General Data Protection Regulation (GDPR) and it is becoming clear that when it comes to Data Subject Access Requests (DSAR), organisations are confused regarding a desire to balance the rights of an individual with the needs of an organisation, John Potts (Head of DPO DSAR and Breach Support) GRCI Law, outlines the essential processes that companies must put in place to avoid falling foul of DSAR breach.

GDPR Misunderstanding

While subject access requests were in place under the Data Protection Act 1998 (DPA), growing personal data awareness has resulted in a significant spike in DSAR activity – and there is a degree of resentment regarding the way individuals are now using these new data rights. However, whether a business feels the DSAR is justified is in the main irrelevant: it is the law. Companies have a legal requirement to comply with a DSAR within one month – or face the wrath of the Information Commissioner’s Office (ICO), and a potential enforcement action which could mean a fine, it will always impact on the reputation of the organisation.

This deadline applies for any DSAR, whether it is created internally or externally. Indeed, a significant proportion of the rise in DSARs is in support of employee grievance and tribunals. Many employment lawyers will now typically file a DSAR for the relevant period(s), as part of any case – whether it is an employee fighting dismissal or filing a complaint against a colleague. Companies, therefore, need to recognise that in such cases these individuals know exactly what information the DSAR should include, whether that is an email trail or meeting notes. Don’t fall into the trap of overlooking the DSAR simply because a tribunal is underway: the right process must be in place to respond to every DSAR irrespective of who makes the request or why.

As such, it is essential to put in place a process for immediately recognising a DSAR. Individuals can make requests via any medium, from Twitter to email and letter. Fail to respond within the deadline, for whatever reason, and the individual can raise a complaint with the ICO, which will then investigate. In addition to ensuring DSARs are not overlooked for any reason, a company also needs a smooth escalation process and at least one individual trained to respond to the DSAR.

Exemptions and Third Party Data

While the majority of DSARs are simple, organisations will face some that raise questions. The way third party data is handled, for example, can be a minefield. Many companies believe it is simply a case of going through all the relevant data and redacting any names other than that of the individual that has made the request. That is not the case.

For example, if ten people were in a meeting and one of those makes a DSAR, there is no point redacting the names of those other nine individuals – everyone knows they were in the meeting. However, this approach cannot be applied to CCTV records, for example. An individual may accept the existence of CCTV in a nightclub, but that does not provide implicit agreement that their presence can be shared in a response to someone’s DSAR. Or take a police custody suite: even if faces are redacted, background conversations could infringe individual rights. When it comes to third party data, DSARs will have to be considered on a case by case basis, there is no blanket response.

Furthermore, there are a number of exemptions that can be applied to DSAR, including Legal Professional Privilege (LPP) for information exchanged between an individual and legal representative, as well as information relating to company finances or national security. The ICO will look at each exemption on a case by case basis and it is therefore essential to ensure each DSAR is annotated with the relevant exemption.


Failure to respond quickly to a DSAR is not going to automatically incur the huge fines associated with data theft. However, it is still a breach of GDPR and the ICO is not going to go easy on organisations that fail to put in place the right processes. DSARs are becoming a fact of life for every organisation; individuals know their rights and, as the rise in employee grievance inspired DSARs reveals, they are actively looking to use the new legislation to support their cause.

For any organisation process is key: monitor all incoming communication channels for DSARs and escalate quickly, the clock starts when the company receives the request. Put in place good professional support for any complex cases that may require exemption or redaction. And, critically, think hard about data retention strategies. The whole aim of GDPR is to make companies consider their data resources and move away from storing data for the sake of it. Only retain data that is relevant and you have a lawful reason for processing put in a place a retention policy with strong methods for recording, extracting and redacting if needed.