Data Subject Access Request (Complete Employers’ Guide)

UK Immigration Blog

Employees or former employees in a company may need their employers to give them information that they have in their records regarding them. These individuals can request this information from their employers. This request is known as a “Data Subject Access Request,” or DSAR.

So, why is DSAR important? DSAR grants individuals and employees the right to request access to their personal data held by an organisation. As an employer, you may receive DSARs from current or former employees seeking their data. Failing to handle a DSAR correctly can have significant legal implications for your organisation.

In this guide, I will walk you through what a DSAR is, why it’s essential to handle it correctly, its legal implications, and how to process DSARs effectively. I will also give you helpful tips on how to avoid mistakes while processing DSARs and how to enhance your system for handling these requests with minimum risk.

What Can The Employee Request And What You Can Do As An Employer?

When a current or former employee makes a Data Subject Access Request (DSAR), they have the right to receive a copy of any personal data related to them held by your organisation. This includes any information that can identify them, like their name, address, email, employment history, and financial details.

These requests also cover sensitive data categories such as race, ethnicity, health, or religious beliefs, which require additional protection under data protection laws.

Employers must comply with a DSAR and provide the employee with the required information within a specific time frame, usually within one month of receiving the request. 

Remember that personal data only related to the person who made the request should be provided, and personal data identifying other employees, customers, or third parties should not be disclosed.

DSARs allow individuals to access their personal data held by organisations and verify its accuracy, currency, and lawful processing.

Individuals have the right to access, correct, and erase this data if necessary, and organisations must comply with these requests as part of their obligation to safeguard an individual’s privacy.

It’s important to remember that individuals can make a DSAR for any reason, and they do not have to justify their request. However, organisations can refuse to comply with a DSAR if it is malicious in intent or excessive. But any such decision must be carefully justified and documented. 

Check out: Check Your EU Settled Status

Why It’s Essential To Handle DSARs Correctly?

Employers must effectively handle DSARs to comply with data protection laws and safeguard their organization from legal consequences.

Properly managing DSARs is extremely important for employers to ensure data protection laws are complied with and protect their organisation from legal fallbacks. It is important to handle DSARs correctly to avoid severe financial penalties, harm the organisation’s reputation, and reduce employee confidence.

Properly handling DSARs is also essential for building and maintaining employee trust and demonstrating the organisation’s commitment to data protection. Employees have the right to know what personal data is being held about them and how it is being processed. 

Failure to fulfil a DSAR can result in a loss of employee trust, a decrease in morale, and a negative impact on the organisation’s reputation.

The Data Protection Act 2018 states that the individual has the right to request all personal data from their employer. Other requests that the individual can make include their records in HR, their pension records, or even references to them made by other staff in a documented form. 

The reason individuals are granted this access is for them to know what data is being held about them and how their employer is using that data.

The individual has the right to request access to any personal data, and the employer must provide it. Severe legal consequences will be imposed on the employer if they fail to provide the requested information, despite the individual asking for it.

One of the most significant legal implications of improperly managing a DSAR is the risk of violating the General Data Protection Regulation (GDPR). The GDPR has set strict guidelines for businesses to adhere to when handling personal data. If these requirements are not followed, there could be financial penalties, including fines of up to €20 million or 4% of the global annual turnover, whichever is higher.

However, the employer has the upper hand if he suspects the request is being made with criminal intent. He has the right to refrain from giving out the requested information, provided he has a strong foundation for why he believes disclosing the information could lead to malicious consequences.

Common Mistakes When Dealing With Data Subject Analysis Request

Employers often need to correct their mistakes when dealing with DSARs that can lead to legal issues or harm their reputation. Here are some blunders to avoid:

1. Neglecting or procrastinating a DSAR

Organisations are legally required to respond to DSARs on time. If the organisation delays or procrastinates in processing these requests, it can lead to legal problems and harm the organisation’s reputation.

2. Not validating the requester’s identity

Organisations must verify that the person to whom the data is being provided is actually the person to whom the data belongs or a known accomplice. Failing to do so can result in the dangerous disclosure of personal data about that person to someone else.

3. Supplying inaccurate or incomplete personal data

Organisations should ensure that the personal data provided in response to a DSAR is correct and comprehensive. Providing accurate or complete personal data can lead to legal issues and damage the organisation’s reputation. Companies should also keep track of their records regularly in this regard.

4. Revealing excessive personal data

Organisations should disclose only relevant personal data in response to a DSAR. Revealing too much personal data can lead to the unauthorised disclosure of personal data and harm the organisation’s reputation. It also leaves the organisation’s internal affairs vulnerable to the business’s economic rivals.

5. Not complying with data protection laws 

Organisations must follow data protection laws to the letter when responding to DSARs. Failing to do so can lead to legal issues and harm the organisation’s reputation.

To prevent these problems, organisations should have clear policies and procedures for handling DSARs. Organizations should train employees on these policies and procedures and conduct regular audits to ensure adherence to them.

By avoiding these common mistakes, organisations can properly respond to DSARs and safeguard the personal data of their employees and customers.

Role of Data Protection Officers (DPO)

To help themselves keep track of records and process DSARs properly, employers hire Data Protection Officers (DPOs). Data protection officers (DPOs) are critical in helping organisations comply with data protection regulations and appropriately handle data subject access requests (DSARs). 

Here are some key responsibilities of a DPO:

1. Advising the organisation on data protection regulations

DPOs are experts on data protection regulations and advise and guide the organisation on how to comply with them. They ensure that laws and regulations on the subject back every piece of advice of theirs.

2. Monitoring compliance with data protection regulations

Other unrelated parties to the matter must not have access to the data while processing DSARS. Failure to do so will require dealing with the situation in court. DPOs should monitor the organization’s compliance with data protection regulations and identify areas for improvement.

3. Training employees

The employees must be trained on how to come forward with their DSAR requests. DPOs should provide training to employees on data protection regulations and how to handle personal data appropriately.

4. Responding to Queries

Most employees have queries regarding DSARs, and they need someone to discuss how to move forward with their request. DPOs should serve as a point of contact for these individuals and respond to any concerns or questions about the organisation’s use of their personal data with all their knowledge.

5. Conducting audits: 

DPOs should conduct regular audits to ensure that the organisation complies with data protection regulations and handles personal data appropriately.

Overall, the role of a DPO is to ensure that the organisation is complying with data protection regulations and handling personal data appropriately. By having a DPO in place, organisations can improve their data protection practices and better respond to DSARs.

Role of Technology in DSAR

Technology has played a positive role in processing DSARs while complying with data protection laws. Here are some ways you can use technology to manage DSARs:

1. Automated processes

Technology can automate the DSAR process, making it more efficient and quicker. Organisations can use software to monitor and manage DSARs to reduce the risk of mistakes or delays.

2. Data management

Technology can aid in efficiently managing personal data, allowing organisations to respond to DSARs more accurately and quickly. Data management systems can ensure the secure storage of personal data and restrict unauthorised access.

3. Artificial intelligence

By analysing personal data, artificial intelligence (AI) can help identify privacy risks. It can improve organisations’ responses to DSARs and ensure proper handling of personal data.

4. Self-service portals

Organisations can offer individuals self-service portals to access and manage their personal data. Self-service portals can reduce the number of DSARs received, making it simpler to handle them.


To conclude, organisations need to understand and fulfil their obligations regarding data subject access requests (DSARs) under data protection laws. This involves having proper procedures in place to respond to DSARs promptly and accurately and providing individuals with clear information about their personal data.

Organisations can employ Data Protection Officers (DPOs) to handle Data Subject Analysis Requests properly. They can advise the company on how to set policies for DSARs and how to move forward with the requests in a legal manner. They can also help train employees on how to come forward with their requests. 

Furthermore, employers need to stay informed about technological advancements such as automation and artificial intelligence can assist in managing DSARs. Employers should also be aware of the data protection officer’s (DPO) role in ensuring compliance with data protection laws.

By fulfilling their obligations under DSARs, organisations can establish trust with their employees and demonstrate their commitment to safeguarding personal data.

Frequently Asked Questions (FAQs)

What is a “Data Subject Access Request”?

A Data Subject Access Request (DSAR) is a request made by an individual to access or receive a copy of the personal data that an organisation is holding. The request can also include information about how their personal data is being used, with whom it is being shared, and any other relevant information.

Who can make a DSAR?

Any individual whose personal data is in the hands of the organisation can make a DSAR. This includes employees, customers, clients, and any other individuals who have had their personal data collected and processed by the organisation.

What information can be requested in a DSAR?

An individual can request any personal data that is being processed by the organisation, as well as information about how their data is being used, who it is being shared with, and any other relevant information. This can include names, addresses, phone numbers, email addresses, financial information, medical information, and more.

What is the timeframe for responding to a DSAR?

Under the General Data Protection Regulation (GDPR), organisations have one month to respond to a DSAR. This can be extended to two months in certain circumstances, but the individual must be informed of the extension within one month of the request being received.

What should an organisation do if it cannot fulfil a DSAR?

If an organisation cannot fulfil a DSAR, it must provide a reason why and inform the individual of their right to complain to the relevant data protection authority. The organisation must also provide any other options available to the individual, such as a partial response or a revised timeframe for fulfilling the request.

Avatar photo
Teresa Aldridge
Rate author
VisaHelpUK - UK Immigration and Visa Application Advice Service
Add a comment