Definition
A formal request made by an individual to an organisation to obtain a copy of the personal data held about them, along with information about how and why it is being processed. Under UK GDPR, organisations must respond within one calendar month.
UK Context
The UK GDPR and Data Protection Act 2018 give individuals the right to access their personal data. Employers must provide the information free of charge within one month, with a possible extension of two months for complex requests. The ICO can take enforcement action for non-compliance.
Best Practices
- Have a clear internal process for handling DSARs with designated responsibility and escalation paths
- Train managers to recognise DSARs, which can be made verbally or in writing without using specific terminology
- Conduct a thorough search across all systems including emails, HR records, notes, and CCTV where relevant
Frequently Asked Questions
How long does an employer have to respond to a DSAR?
One calendar month from receipt. If the request is complex or numerous requests have been received, the deadline can be extended by a further two months, but the individual must be informed of the extension within the first month.
Can an employer refuse a DSAR?
Only in limited circumstances, such as if the request is manifestly unfounded or excessive. The employer can also redact information that identifies other individuals unless those individuals have consented. The burden of proving a request is excessive falls on the employer.