Call us on
0161 941 2426

Data Subject Access Requests (DSAR) and Data Security

Posted On: 01/10/2019

In all aspects of our lives there are things that fill us with dread. For a manager or member of your HR team this could be a DSAR. Our advice would be to put in place some best practices on how to handle a subject access request. The worst thing to do is just hope that you’ll never receive one!

What is a DSAR

This is a request from someone asking to receive a copy of the personal data your organisation may hold on them, they may also ask for an explanation of how this data is being used, who will this data be disclosed to and how long the data will be retained for.

It can be requested in writing, verbally and even via social media. Unfortunately, the GDPR does not specify who an individual should address their request to, so it pays to be vigilant!

This access to personal data is not new, but changes to how they are to be treated came into force under Article 15 of the GDPR in May 2018. These changes are:

Be cautious

A person can only ask for their own personal data, so it is crucial that they prove that they are who they say they are. The only exception is when an authorised agent, parent or guardian makes a request on behalf of someone and have authority to request the data.


Your initial response

Before fulfilling the request ensure the data subject has provided all the information you require such as:

A quick and efficient process

Gathering information for a DSAR can be very time consuming, so it makes sense to have in place a process.

Be mindful that any paperwork and emails concerning the individual must be investigated too.

Reviewing data

Once you have gathered the information it must be checked before submitting to the individual, agency, parent or guardian as it may contain data on another subject. It the data relates to another individual you will have to seek their permission to disclose the information.

If it is not possible to gain the consent of the third-party, then it may still be possible to provide some information, having edited or ‘redacted’ information that would identify the third-party. Redaction can also be used to remove information which is out of scope of the subject access request because it is not the applicant’s personal data.

The formal response

The data provided to an individual must not contain jargon, codes or terms that someone outside of your organisation would not understand. Be sure to use a traceable delivery system when sending the data.

Always keep a copy of your response.

Can you say no to a subject access request?

Yes, you can. You do not have to fulfil the request if:

If, for good reason, your organisation refuses all or part of the request, you must send the requester a written refusal notice.

The Freedom of Information Act

This Act details exemptions allowing your organisation to withhold information from a requester. In some instances, your organisation will be allowed to refuse to confirm or deny if you hold the information requested. You can withhold information:

Protecting your organisation from receiving DSARs

If you do receive a DSAR it could be an indication that there is mistrust between your organisation and an employee. Many organisations will only receive DSARs when dealing with employee grievances or disciplinaries. Creating a strong and positive workplace culture where people are treated with respect and dignity and where the workforce feels trusted, valued and empowered will go a long way to prevent mistrust.

Our top tips

We’re here to help

Give our team of HR professionals a call on 0161 941 2426 if you require help with a DSAR.  We can also tell you more about our MyHR System and provide you with a no obligation quote, but if you’d like to see for yourself what the system is capable of please check out our MyHR System Demo.

Get In Touch

What Our Clients Say

“"We have worked with P3 for over 3 years and have found the service we have been given to be invaluable. As a growing organisation, the HR element was taking up more and more of the Board's time. HR are always present at our Board meetings and the time we have saved ourselves allowing this key business function to run smoothly, efficiently and as it should do has paid huge dividends for our growth and our staff retention. Our people and culture have not looked back since we made this decision. "”

P Birkett - Managing Director

Read Our Latest Blogs

How To Manage Remote Workers

Posted On: 28/05/2020

The number of employees working from home has increased over the past few years but, as we live through the coronavirus pandemic, numbers have risen sharply and abruptly. It could be that;

Read More > >

Power To Your People

Posted On: 07/05/2020

When you give power to someone, what does that really mean? It’s quite a hard word to explain as it can mean different things to different people. According to the thesaurus power;

Read More > >

Subscribe to our HR News updates

Get the latest updates from P3 and great advice on how your HR can be improved.

To Top