How to effectively manage data subject access requests

It was recently reported that data subject access requests (DSARs) are costing UK organisations between £72,000 and £336,000 per year. However, you can’t charge for them, and you are legally obliged to comply: a costly process, particularly if your organisation receives a large volume.

The Data Privacy Group also reports that large UK organisations handle anything from six to 28 DSARs a month, with a significant rise in employee DSARs due to an increase in redundancies during the Covid-19 pandemic. This has had a significant impact on human resources and IT teams. There has also been a rise in customer requests where employees are submitting DSARs prior to a tribunal hearing as it provides an inexpensive way to gather evidence that may support their cause.

With employee GDPR training now standard practice in most organisations, knowledge is growing about data protection rights. Employees understand their rights, are increasingly challenging misuse of their personal data, and are willing to enforce their rights and their rights of access.

How to respond to a DSAR

Collating together the necessary data to respond to a DSAR is often challenging due to the number of documents, varying formats, and data assets involved. Most organisations hold a lot of information, located across multiple databases and in different formats, putting a strain on resources to gather it all together.

Using smart tools with full audit trails and encryption to streamline workflows and improve efficiency through technology reduces the time spent on each request.

Six top tips for managing DSARs


  1. Make sure you complete it in 30 days

    In most cases, you have just one month to respond to requests. If the case is complex, or the subject has made several requests, you can extend the deadline to two months, but you must notify the subject with justification.

  2. Don’t request payment

    Although DSARs take up valuable time and resources, you cannot legally charge someone for making a subject access request.

  3. Remove sensitive data

    When responding to a DSAR, you must redact personable identifiable information (PII) about third parties.

  4. Follow best practice and prepare for an audit

    As part of your DSAR response you will need to demonstrate that you’ve handled the process securely from start to finish and if requested, provide a full audit trail.

  5. Comply to reduce the risk of fines and reputation damage

    The Information Commissioner’s Office (ISO) oversees the handling of subject access requests and failure to comply can lead to penalties. The maximum fine in the UK for a serious breach of the DPA is £500,000, and failure to comply with the DSAR requirements could cost a data controller the higher 4% of annual global turnover for the previous financial year.

  6. Introduce an effective data retention policy

    These greatly reduce the volume of employee personal data you hold, and while the law dictates how long you must hold some records, it is your responsibility to manage this.


Manage your DSARs better to release time and budget

Creating a successful process for managing DSARs not only ensures that you are compliant, it also saves your organisation time, money, and improves trust between the company and your employees.

Chat to our governance, risk, and compliance team today for support with your current DSARs or guidance on creating a strategy for managing them.

Talk to us now


Tracey Hannan-Jones
Tracey Hannan-Jones

Tracey is Phoenix's Lead GRC Consultant, with over 25 years' experience across Technical Information Security, Data Governance, and Compliance and Auditing.

See all posts by Tracey Hannan-Jones