Data Subject Access Request Policy and Procedure

Understanding Data Subject Access Requests (DSARs)

A DSAR allows individuals to request access to their personal data held by organisations. It’s essential for organisations to have clear policies and procedures in place to handle DSARs promptly and securely.

Developing a DSAR Policy

  • Policy Objectives: Define the purpose of the DSAR policy, emphasizing compliance with GDPR principles, transparency, and protecting individuals’ rights.
  • Legal Framework: Outline legal obligations under GDPR and the Data Protection Act 2018 regarding DSARs, including timeframes for response and exemptions.

Implementing DSAR Procedures

  • Receiving DSARs: Establish methods for individuals to submit DSARs and ensure procedures for verifying the identity of requesters to safeguard personal data.
  • Processing DSARs: Detail steps for locating and retrieving relevant personal data, reviewing for accuracy, and assessing whether exemptions apply.

Legal Considerations and Exemptions

  • Exemptions: Discuss circumstances where organisations may refuse or limit disclosure of personal data, such as legal privilege or third-party confidentiality.
  • Timeframe for Response: Clarify the obligation to respond to DSARs without undue delay and within one month, with provisions for extension in complex cases.

Ensuring Compliance and Best Practices

  • Training and Awareness: Provide training to staff responsible for handling DSARs to ensure they understand legal requirements and maintain confidentiality.
  • Data Security: Emphasise measures to secure personal data during processing and transmission, mitigating risks of unauthorized access or disclosure.


A well-defined DSAR policy and procedure are essential for organisations to uphold individuals’ rights under GDPR while ensuring data protection and compliance with legal obligations in England and Wales. By implementing robust policies and procedures, organisations can effectively manage DSARs and maintain trust with stakeholders in handling personal data responsibly.

What is a Data Subject Access Request (DSAR)?

A DSAR is a legal right under GDPR for individuals to request access to their personal data held by organisations.

How do I submit a DSAR?

You can submit a DSAR verbally or in writing, including via email or through a designated form provided by the organisation.

What information do I need to provide when making a DSAR?

Include your full name, contact details, and any specific details or documents you are requesting access to.

How long does an organisation have to respond to a DSAR?

Organisations must respond without undue delay and within one month of receiving the request. This can be extended by two months for complex requests, but you must be informed within one month of receiving the request.

Can an organisation refuse to comply with a DSAR?

Yes, an organisation can refuse a DSAR in certain circumstances, such as if it is manifestly unfounded or excessive, or if it involves disclosing information about another individual.

Are there any fees associated with making a DSAR?

Generally, organisations cannot charge a fee for fulfilling a DSAR unless it is manifestly unfounded or excessive. They must inform you if they plan to charge a fee.

What should I do if I am not satisfied with the organisation’s response to my DSAR?

If you are not satisfied, first raise the issue with the organisation. If unresolved, you can lodge a complaint with the Information Commissioner’s Office (ICO).

What type of personal data can I expect to receive in response to a DSAR?

You can expect to receive information such as your contact details, financial information, employment history, and any other personal data held by the organisation, unless exemptions apply.

How can organisations ensure compliance with DSAR requirements?

Organisations should have clear procedures in place for handling DSARs, including verifying the identity of the requester, locating and retrieving relevant data, reviewing for exemptions, and securely communicating the response.

Where can I find more information about DSARs and my rights under GDPR?

For more information, visit the Information Commissioner’s Office (ICO) website or consult legal advice to understand your rights and obligations under GDPR regarding DSARs.

Edward Davis
Latest posts by Edward Davis (see all)