Complaints: Previously, individuals who were not satisfied with their DSAR response would complain directly to the ICO. Under the Data (Use and Access) Act [DUAA], organisations are required to establish formal internal complaints procedures. An individual must first exhaust this internal process and receive a response from the data controller before they can escalate the matter to the ICO. Data controllers have to acknowledge complaints within 30 days and respond 'without undue delay'.
Data controller: The entity that determines the purposes and means of processing personal data. In other words, the organisation that holds and processes the personal data of an individual. There can be more than one controller for the same personal data.
Data processor: An entity that processes personal data on behalf of the controller. This means that they receive instructions from the controller (an organisation) and process personal data on behalf of the controller. If they start to act independently, they become data controllers in their own right. They must have a binding contract in place with the data controller and assist with data security obligations, breach notifications, and data protection impact assessments.
Data subject: The identified or identifiable living individual to whom personal data relates. Regarding DSARs, this is an individual seeking access to their personal information (so could be an employee, or customer).
Data (Use and Access) Act 2025 [DUAA]: Amends the UK GDPR and the Data Protection Act 2018.
Data Protection Act 2018: Legislation which replaced the Data Protection Act 1998 and forms the UK data protection framework together with the UK GDPR.
Disproportionate effort: Under DUAA, disproportionate effort, when responding to a DSAR means that organisations can assess whether the time and cost spent on responding will be disproportionately high compared to the benefit for the individual to get access to the personal data. What is regarded as disproportionate effort depends, among other things, on the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing.
DSAR/SAR [Data Subject Access Request / Subject Access Request]: The right for an individual under the UK GDPR and the Data Protection Act 2018 to obtain a copy of their personal data from an organisation.
Enforced DSAR: This means that an organisation is requiring a person to make a subject access request to gain access to certain information about them (for example convictions or health records, to be then used for a certain purpose such as insurance application). Forcing a person to make a DSAR in such circumstances is a criminal offence.
eDiscovery: This refers to the process of identifying, preserving, collecting, and reviewing electronic data for legal proceedings. eDiscovery tools are useful to ensure that no confidential, legally privileged, or third-party personal data is inadvertently disclosed.
Exemptions: Organisations do not need to comply with a DSAR if doing so would reveal personal data of another identifiable individual. Other exemptions available relate to crime, law enforcement, and taxation: information can be withheld if releasing it would be likely to prejudice:
- The prevention or detection of crime.
- The apprehension or prosecution of offenders
- The assessment or collection of tax or duty.
Also, organisations do not need to release personal data that is part of confidential communications between a client and their legal advisors regarding legal advice or pending litigation, or if the data is processed to perform functions designed to protect the public. Personal information is exempt from the right of access if it’s used for carrying out a function relating to legal services, the health service and children’s services.
Sometimes, an exemption applies if personal information is used for:
- scientific or historical research purposes; or
- statistical purposes.
Note that this exemption only applies to the extent that complying with the DSAR would prevent or seriously impact meeting these purposes. Archiving in the public interest may also be exempt. The same applies to processing of personal information for the purpose of management forecasting or management planning, or for providing a confidential reference. Finally, personal information may be exempt from the right of access if you process it for:
- journalistic purposes;
- academic purposes;
- artistic purposes; or
- literary purposes.
Exemptions are applied on a case-by-case basis. Consult the ICO website for more detailed information (under review due to the Data (Use and Access) Act 2025).
Fees: DSARs must generally be provided free of charge. Organisations can only charge a "reasonable fee" for administrative costs if a request is manifestly unfounded, excessive, or repetitive – meaning requests for multiple copies of the same information. There is no clarification as yet on what would be “reasonable”.
Format of request: Individuals can make DSARs verbally or in writing, including via social media.
ICO: The Information Commissioner’s Office is the UK’s data protection regulator.
Identity verification: Organisations need to know the requester’s identity and that the information they hold relates to the person in question. Often the requester’s identity is already known (e.g. an existing customer). In other cases, organisations can request formal ID documents, or verify identity by other means, for example by cross-checking details, such as date of birth, against existing records.
Joint data controllers: When a data controller determines the purposes and means of processing jointly with others. This means that they are processing personal data for the same or shared purposes.
Manifestly unfounded or excessive: The Data (Use and Access) Act 2025 [DUAA] amends the Data Protection Act 2018 by clarifying that controllers may refuse a DSAR if it is manifestly unfounded or excessive. A request can be deemed excessive if there are repeated requests for the same information to be delivered in different formats.
Penalties: Failure to comply with a DSAR may result in fines up to £17.5 million or 4% of a business's total annual worldwide turnover, whichever is higher. In practice, individuals often seek court orders and compensation for distress.
Personal data: Under the UK GDPR, personal data is any information relating to an identified or identifiable living person. An identifiable living person is one who can be identified directly or indirectly by reference to an identifier. This can for example be names, addresses, identification numbers, location data, or online identifiers like IP addresses.
Pseudonymised personal data remains personal data and within the scope of the UK GDPR. Data that has been anonymised is not subject to the UK GDPR.
The Data (Use and Access) Act [DUAA] which was adopted on 19 June 2025 does not change the core legal definition of "personal data" in the UK. The UK data regulator, the ICO will issue updated guidance later in 2026 to reflect on the amendments in the Data (Use and Access) Act 2025 that affect DSARs (for example "reasonable and proportionate" searches).
Processing of personal data: Processing of personal data means any action taken on data, including collection, storage, retrieval, disclosure, or destruction. This applies to automated processing of personal data (electronic) and manual processing if the data is part of a structured filing system. In other words, paper files are included if they are organised in a way that allows easy access (e.g., HR files in a filing cabinet).
Reasonable and proportional search: Under Data (Use and Access) Act 2025 [DUAA], organisations are only required to conduct a “reasonable and proportional search”. This means limits on the scope of searches, easing the burden of exhaustive, costly searches.
Redaction: When responding to a DSAR, redaction often becomes essential to erase third-party personal data from the response. Redaction ensures third-party confidentiality, adhering to data minimisation principles, and balances transparency with privacy. Redaction must be permanent and irreversible.
Refusal: Organisations may refuse a DSAR if providing the information is impossible or would involve a disproportionate effort. Organisations must inform the requester that they have a right to complain to them, and to the ICO. They must also keep documentation should they have to demonstrate to the ICO how they came to this decision. The burden of proof rests entirely on the organisation.
Request made by someone else: It is possible that an individual will ask a third party (e.g. a relative or solicitor) to make a DSAR on their behalf. In this case, organisations need to ensure they are entitled to act on the person’s behalf.
Response time: Organisations should respond to a DSAR as soon as possible but have a month to respond unless they need clarification from the data subject (individual). Organisations need to inform the data subject whether or not they process any personal information on them and provide copies. The calendar month is calculated from the date of receipt even if that day is a weekend or public holiday. It ends on the corresponding calendar date of the next month.
Right to erasure: Also known as "right to be forgotten," this right allows individuals to request the deletion of their personal data. However, this is not an absolute right and does not apply for example if an organisation needs to process the data to comply with a legal obligation. Importantly, if the data is processed for direct marketing purposes and the individual objects to that processing, right of erasure applies. Organisations also need to pay special attention to erasure requests from children.
Special category data: The DPA 2018 and UK GDPR define "special category" data, which requires higher protection, such as racial or ethnic origin, political opinions, health data, sexual orientation and biometric data. Under the Data (Use and Access) Act 2025 [DUAA], the government may later by regulations add new categories of special category data.
Stop the clock: Data (Use and Access) Act 2025 [DUAA] allows controllers to pause the one-month deadline for responding to a DSAR. This is for the purposes to verify the identity of the individual, or to seek clarification of the scope of the request. The one-month time limit is paused until the information is received.
Extensions for up to two months are possible where the request is especially complex or there are multiple requests. In other words, the maximum time allowed to respond to a DSAR is three months (in some circumstances).
Sub-processor: When a data processor sub-contract all or some of the data processing to another processor.
Supplementary information: In addition to the copy of their personal data, individuals are also entitled to supplementary information such as how their data is processed, what purposes it is processed for and how long it is kept.
Third-party data: Personal data belonging to individuals other than the requester. To release such data, check that the third party has consented or would reasonably consent to having their information shared with the requester.
Time limits: A DSAR response must be sent within one calendar month from receipt. An exception to this is when the organisation can ‘stop the clock’ to seek further clarification.
UK GDPR: The UK GDPR, together with the Data Protection Act 2018, and the Data (Use and Access) Act [DUAA] form the key UK data protection legislative framework. UK GDPR is a version of the EU GDPR adopted after UK Brexit. The UK GDPR is largely consistent with the EU GDPR.
Valid request: A DSAR can be received in any format e.g. in writing, verbally or on social media. There is no specific wording required for the request, but an organisation needs to be aware of the identity of the requestor and have all of the information available that is needed to provide the information requested.
This information does not constitute legal advice.
