Call us on
0161 941 2426

Data Subject Access Requests (DSAR) and Data Security

Posted On: 01/10/2019

In all aspects of our lives there are things that fill us with dread. For a manager or member of your HR team this could be a DSAR. Our advice would be to put in place some best practices on how to handle a subject access request. The worst thing to do is just hope that you’ll never receive one!

What is a DSAR

This is a request from someone asking to receive a copy of the personal data your organisation may hold on them, they may also ask for an explanation of how this data is being used, who will this data be disclosed to and how long the data will be retained for.

It can be requested in writing, verbally and even via social media. Unfortunately, the GDPR does not specify who an individual should address their request to, so it pays to be vigilant!

This access to personal data is not new, but changes to how they are to be treated came into force under Article 15 of the GDPR in May 2018. These changes are:

Be cautious

A person can only ask for their own personal data, so it is crucial that they prove that they are who they say they are. The only exception is when an authorised agent, parent or guardian makes a request on behalf of someone and have authority to request the data.


Your initial response

Before fulfilling the request ensure the data subject has provided all the information you require such as:

A quick and efficient process

Gathering information for a DSAR can be very time consuming, so it makes sense to have in place a process.

Be mindful that any paperwork and emails concerning the individual must be investigated too.

Reviewing data

Once you have gathered the information it must be checked before submitting to the individual, agency, parent or guardian as it may contain data on another subject. It the data relates to another individual you will have to seek their permission to disclose the information.

If it is not possible to gain the consent of the third-party, then it may still be possible to provide some information, having edited or ‘redacted’ information that would identify the third-party. Redaction can also be used to remove information which is out of scope of the subject access request because it is not the applicant’s personal data.

The formal response

The data provided to an individual must not contain jargon, codes or terms that someone outside of your organisation would not understand. Be sure to use a traceable delivery system when sending the data.

Always keep a copy of your response.

Can you say no to a subject access request?

Yes, you can. You do not have to fulfil the request if:

If, for good reason, your organisation refuses all or part of the request, you must send the requester a written refusal notice.

The Freedom of Information Act

This Act details exemptions allowing your organisation to withhold information from a requester. In some instances, your organisation will be allowed to refuse to confirm or deny if you hold the information requested. You can withhold information:

Protecting your organisation from receiving DSARs

If you do receive a DSAR it could be an indication that there is mistrust between your organisation and an employee. Many organisations will only receive DSARs when dealing with employee grievances or disciplinaries. Creating a strong and positive workplace culture where people are treated with respect and dignity and where the workforce feels trusted, valued and empowered will go a long way to prevent mistrust.

Our top tips

We’re here to help

Give our team of HR professionals a call on 0161 941 2426 if you require help with a DSAR.  We can also tell you more about our MyHR System and provide you with a no obligation quote, but if you’d like to see for yourself what the system is capable of please check out our MyHR System Demo.

Get In Touch

What Our Clients Say

“TerryberryReward have enjoyed a long and developing relationship with P3PM who are now an integral and valued business partner. P3PM keep us aware and aligned to the ever-changing regulatory aspects of HR, but also understand our requirement for pragmatic day to day support. The online MyHR system has been a boon, allowing colleagues easy self-management of previously convoluted paper-based tasks. ”

P Calnan - Managing Director

Read Our Latest Blogs

Embracing an Ageing Workforce

Posted On: 31/07/2020

There are lots of reasons why many of us are choosing to work for longer. We enjoy better health, we love having purpose in our lives and, as workplaces embrace diversity and;

Read More > >

Generation Z

Posted On: 22/07/2020

Generation Z is the first fully digital generation and is set to change the workplace with its unique set of priorities, values and needs. This newest generation is aged around 5 years to;

Read More > >

Subscribe to our HR News updates

Get the latest updates from P3 and great advice on how your HR can be improved.

To Top