What Is a Data Subject Access Request (DSAR) in the UK?

If your business collects or stores any personal data, sooner or later you’ll receive a “data subject access request” - usually shortened to DSAR or just SAR.

Handled well, a DSAR is manageable. Handled poorly, it can drain time and expose your business to complaints or fines. The good news is that with a clear process and the right documents, you can respond confidently and keep compliant.

In this guide, we’ll explain what a DSAR is under UK law, when it applies to small businesses, how to respond step-by-step, where exemptions can help, and how to set up your business so you’re DSAR-ready from day one.

What Is A Data Subject Access Request (DSAR)?

A data subject access request is when an individual asks your business for a copy of their personal data and supporting information about how you process it. The right of access is set out in the UK GDPR (as retained in UK law) and the Data Protection Act 2018.

In plain English: if you hold information that identifies a person - a customer, lead, employee, contractor or website user - they can ask you to:

• Confirm whether you process their personal data
• Provide a copy of that data (in a commonly used format)
• Explain why you process it, your lawful basis, where it came from and who you share it with
• Tell them how long you keep it and their rights (rectification, erasure, restriction, objection, portability)
• Share safeguards if you transfer data outside the UK

DSARs don’t need legal language to be valid. An email saying “Please send me all the information you hold about me” counts. So do social messages or phone calls if you can verify identity and capture the request.

When Do DSARs Apply To Small Businesses?

Almost always. If your business is a controller of personal data (even on a small scale), you must be able to respond to DSARs. Typical scenarios include:

• Customers asking for their account data, support messages or purchase history
• Marketing subscribers asking for data your CRM holds (including tracking and consent records)
• Former employees requesting HR files, performance notes or emails mentioning them
• Job applicants asking for recruitment notes and interview feedback

It doesn’t matter if you’re a sole trader or a growing company - the rights are the same. If you’re a processor (processing data on behalf of a client), you’ll normally need to pass DSARs to the controller under your Data Processing Agreement.

As a business, you can ask for more information to locate the data if a request is broad, but you can’t make someone jump through hoops to exercise their rights. You can also ask for ID to confirm the requester is who they say they are, especially where disclosure could create a risk.

How To Respond To A DSAR Step-By-Step

Responding within the legal timeframe starts with a solid workflow. Here’s a practical process small businesses can follow.

1) Log The Request And Start The Clock

Record the date you received the request (the clock starts when it hits any part of your business). Aim to acknowledge receipt within a few days, explain you may need to verify identity, and set expectations about timing and format. Having a simple access request form can help funnel requests to the right place, but remember a request is valid even if your form isn’t used.

2) Verify Identity

Before you disclose any data, satisfy yourself that the requester is the individual concerned (or a valid representative). Ask for reasonable ID if needed. Keep what you ask for proportionate - you’re balancing security with accessibility.

3) Scope And Locate The Data

Identify where the person’s data lives:

• Email systems, chat tools and ticketing platforms
• CRMs, e-commerce platforms and marketing automation tools
• Financial systems, order management and logistics systems
• HR files, messaging apps and shared drives
• Backups and archives (to the extent they’re actively used)

If the request is very broad, ask the requester to clarify date ranges, systems or data types, but don’t delay while you wait - keep searching the reasonable places you already know about.

4) Review For Third-Party Data And Exemptions

You must protect other people’s rights too. As you collect documents, mark content that includes other individuals’ data or your own confidential information. You may need to redact or withhold certain parts (we cover exemptions below).

5) Compile And Format The Response

Provide copies in a commonly used electronic format (for example, PDFs, spreadsheets or machine-readable files for portability requests). Don’t just send raw data - include the required explanatory information: purposes, lawful basis, recipients, transfers, retention periods, and rights.

If you don’t already have one, this is a good moment to ensure your public-facing Privacy Policy clearly sets out these details in plain English, so you’re consistent in your DSAR response.

6) Redact Carefully And Apply Exemptions Where Justified

Redact other people’s personal data where you can’t reasonably get consent to disclose it. Remove legally privileged content and your confidential trade secrets if an exemption applies. Keep a clean record of what you redacted and why.

7) Send The Response On Time

Aim to respond well within the statutory timeframe (see below) with a clear covering note. If you need more time because the request is complex, tell the requester why and when to expect the full response. Having a reusable SAR template for acknowledgment and final responses saves time and ensures you include the required wording.

8) Keep An Audit Trail

Store copies of the request, your searches, decisions, redactions and final response. If the ICO asks questions later, you’ll want to show that you acted diligently and on time.

What Can You Refuse Or Redact?

Access is a strong right, but it’s not absolute. UK GDPR and the Data Protection Act 2018 include exemptions you can rely on in limited, justified circumstances. Common examples for small businesses include:

• Third-party personal data: You may withhold someone else’s personal data if disclosure would unfairly reveal their information and consent isn’t practical.
• Legally privileged material: Confidential legal advice and communications with your solicitor are generally exempt.
• Trade secrets and IP: You can protect confidential business information or trade secrets where disclosure would adversely affect your rights.
• Management information: Some confidential management planning information may be exempt if disclosure would prejudice negotiations or operations.
• Manifestly unfounded or excessive requests: If a person is clearly abusing the process (for example, repeated requests with no legitimate purpose) you can refuse or charge a reasonable fee, but this threshold is high and must be justified.

Always apply exemptions narrowly and explain them in your response. It’s wise to document your reasoning and, if you’re unsure, get tailored advice. For a deeper dive into what you can (and can’t) refuse, see how SAR exemptions work in practice.

Deadlines, Fees And Formats

Timing is one of the biggest compliance risks, so keep these basics in mind.

• Deadline: You must respond “without undue delay” and within one month of receipt. You can extend by up to two further months if the request is complex or you’ve received multiple requests from the same individual - but you must tell them within the first month and explain why. A quick refresher on SAR deadlines can help you plan your workflow.
• Fees: DSARs are generally free. You may charge a reasonable fee for manifestly unfounded or excessive requests, or for additional copies, but be prepared to justify it.
• Format: Provide data in a “commonly used” electronic format unless the requester asks otherwise. For portability requests, use a machine-readable format when feasible.
• Identity checks: It’s acceptable to pause the clock while you verify identity, provided you request ID promptly and reasonably.
• Records: Keep an internal log of DSARs, deadlines and decisions. Good record-keeping is your best defence if challenged.

If you’re juggling multiple requests or complex searches, it’s helpful to map your systems and assign responsibilities in advance - that way you’re not scrambling to find data sources when the clock is ticking.

Build Your DSAR Readiness

The easiest DSARs to handle are the ones you’re ready for. A few practical building blocks will make responses faster, safer and more consistent.

Have The Right Policies And Notices

• Privacy Policy: Set out your data uses, lawful bases, sharing, retention and rights in a clear, accessible Privacy Policy. Your DSAR responses should mirror what you’ve already told people publicly.
• Retention Policy: Decide how long you keep different data types so you can confidently explain (and apply) your retention periods. For guidance on setting schedules that are defensible, see this UK-focused note on data retention.
• Cookie and consent UX: Transparent cookie notices and consent records reduce disputes about what you collected and why.

Put The Right Contracts In Place

• Processor Controls: If suppliers process personal data for you (cloud apps, outsourced support), lock down roles and responsibilities in a robust Data Processing Agreement and a practical Data Processing Schedule.
• Sharing With Partners: Where you share personal data with other controllers, use a Data Sharing Agreement to define who does what - including who handles DSARs.

Create A Repeatable DSAR Workflow

• Nominate a single inbox for privacy requests and train staff to forward DSARs immediately
• Maintain a system map listing where categories of personal data live
• Prepare standard acknowledgements, ID check emails and final response templates
• Set up a searchable filing approach for HR and customer comms, so redaction is faster

Template wording speeds things up and ensures you tick the legal boxes. If you don’t have one yet, start with a simple, plain-English SAR template you can adapt for different scenarios.

Plan For Security And Incidents

Access rights and security go hand-in-hand. If a person asks for their data right after a suspected breach, you’ll want your records to be clear and your communications consistent with your incident plan. A concise, tested Data Breach Response Plan will help you coordinate investigations, notifications and DSARs under pressure.

Mind The Overheads

Even simple DSARs take time. Redacting third-party data from chat logs or emails can be fiddly. If requests are frequent (for instance, in HR-heavy businesses or consumer-facing services), streamline with sensible filters, consistent filing and clear templates. Where requests become repetitive or excessive, consider whether they meet the threshold for a fee or refusal - but tread carefully and document your reasoning.

Check Your Budget And Registration

Most UK businesses processing personal data must pay an annual ICO data protection fee unless an exemption applies. If you’re unsure where you stand, review the ICO categories or explore common ICO fee exemptions relevant to small organisations.

Key Takeaways

• A data subject access request is a legal right under UK GDPR and the Data Protection Act 2018 that lets individuals access their personal data and information about how you process it.
• Requests can arrive through any channel and don’t need special wording - set up a single inbox, verify identity, and start the clock the day you receive one.
• Follow a clear workflow: log, verify, search systems, review for third-party data and exemptions, compile the data and required explanations, and respond on time.
• Use exemptions carefully. You can redact third-party data, protect legally privileged content and trade secrets, and refuse manifestly unfounded or excessive requests when justified.
• Most responses are due within one month. You can extend by up to two months for complex requests but must explain the extension within the first month.
• Being DSAR-ready saves time: maintain a transparent Privacy Policy, put a Data Processing Agreement in place with processors, keep a system map and retention schedule, and prepare reusable templates.
• Document your decisions and keep an audit trail - it’s your best protection if the ICO or the requester raises concerns.

If you’d like hands-on help setting up a DSAR process, drafting a Privacy Policy, or reviewing a Data Processing Agreement with a key supplier, we’re here to help. You can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.