According to the UK GDPR, the “data subject” (individual/person) has the right to access any personal data that the “data controller” (organisation) holds on them. This is more commonly known as a data subject access request (DSAR). With a DSAR, data subjects can also check how their data is being used, including if it is being used lawfully.
There are a number of reasons why someone may submit a DSAR. The most common would be because they are unhappy or unclear on how and why their information is being used. In most cases, after receiving a DSAR, an organisation must provide copies of the requested information. DSARs are an important tool that helps to uphold an individual’s rights, so let us explore the “right of access” and its limitations.
A data subject’s request may refer to specific details, i.e., essential information, or may ask for a full list of all the information an organisation has about them. In such cases, sifting through large amounts of information can be challenging. Therefore, the first step to acting on a DSAR is to determine what information counts as “personal” under the UK GDPR and whether the information they have requested falls under this definition.
The organisation can choose to censor any private information that is not within the scope of the DSAR. They are also not obligated to share every piece of information that refers to or mentions the data subject in question, such as internal memos or sales information. More importantly, the organisation must be sure to leave out any personal information about other subjects to avoid a data breach.
Taking the above into account, the organisation will provide the data subject with the requested information along with other relevant supporting documents and materials.
Article 15 (right of access) of the UK GDPR stipulates that individuals/data subjects have the right to request copies of any personal data that is being processed. The right of access covers a few different aspects:
If their personal data is being processed, the following additional information:
Data subjects can request a copy of their personal data at any time, and organisations are typically required to provide it. However, organisations may be allowed to reject a DSAR request under certain circumstances.
If a request is found to be “manifestly unfounded or excessive” (i.e., with no real purpose or made with the intention of disrupting the organisation), the data controller (organisation) may refuse to act on the request, as stated under article 12(5) of the UK GDPR. However, this is very unlikely and must be proven for the controller to justify rejecting a request.
Additionally, receiving a copy of requested information “should not adversely affect the rights or freedoms of others”, according to article 15(4) of the UK GDPR. This means that the personal and sensitive information of other data subjects should be protected when acting on a request.
Anybody can submit a DSAR. This includes, but is not limited to, employees, users, donors and contractors. Data subjects do not need to state a reason for submitting a DSAR, but are required to verify their identity and provide any details that can help in locating the information they have requested. If an organisation stores your personal data, it is within your right to submit a DSAR.
A person may also submit a DSAR on behalf of someone else under the following circumstances:
In such cases, the data subject may be asked to provide evidence of this relationship, such as the power of attorney documentation, birth certificates or guardianship paperwork.
There is no specific format to follow when submitting a DSAR—data subjects can make the request verbally, by email, by letter or even through a social media post.
An individual does not have to say they are making a DSAR for it to be a valid request. However, if they want to submit a DSAR, these are the basic steps they could take to make the process smoother:
Now let us take a look at how the controller (organisation) may respond to the request and the steps involved in this process.
Similar to submitting a DSAR, there is no set way to handle one. However, the following steps are considered standard across the industry:
Ensure the right information is shared with the right person to avoid a data breach.
Review the request and the type of information being asked for, and decide whether you need more than a month to respond to the subject (if complex, you can extend the deadline by a maximum of two additional months).
Make sure the information does not contain the personal details of other subjects or is otherwise exempt under the law.
Compile the requested information into an accessible file type, ideally available via remote access to a secure system, and provide reasoning in the case of withheld information.
Remind subjects of their rights—mention the right to objection, rectification, and lodging a complaint with a supervisory body.
Document all communication for auditing purposes and to hold the organisation accountable.
Data controllers are not obligated to share every piece of information requested by the data subject. They should exercise care to ensure that personal data about other subjects isn’t compromised as a result. The process of responding to a DSAR may vary across organisations, but the above must be adhered to.
Managing DSARs efficiently requires a solution that automates repetitive tasks and ensures compliance with UK GDPR. AI-driven workflows simplify the process by reducing manual effort, enabling your organisation to respond accurately and on time.
These workflows help minimise risks by ensuring consistency and reducing the chance of human error. By adopting AI-powered tools, your organisation saves valuable time while maintaining regulatory compliance.
Responding to a DSAR might seem straightforward, but poor governance and fragmented data management can make it a complex and time-consuming task.
That’s where AI-driven workflows come in, streamlining the process to save time and minimise risk. DataGuard combines intelligent automation with human expertise to take the pressure off your team, reducing manual effort while enhancing your security posture.
By adopting strong data governance policies and efficient workflows, you can ensure compliance with ease. Explore how DataGuard can transform your approach to DSAR management.
According to Article 15.3 of the GDPR, the DSAR initial copy must be delivered to the individual for free. However, organisations may have the right to charge a reasonable fee for additional copies of a DSAR requested by a data subject.
Some important information that you should include in a DSAR are:
If a data subject does not receive a response, they have the right to file a complaint with the ICO. However, the first step should be to file a formal complaint with the organisation. This is typically done in writing, such as through a letter or email. If they are still unhappy with the response and feel that the requested data should be provided, they can then complain to the ICO.
The organisation must respond to a request as soon as possible. This means at least within one month starting from the date the request was received. They may extend this to a maximum of three months, but only in exceptional circumstances.
Public information about organisations and governments doesn’t count as personal data. However, if there is information that can be used to directly identify stakeholders within the organisation, then that is classified as personal data. Stakeholders may include employees, partners or directors.