By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Start Your Business Magazine
Saturday, Jul 18, 2026
  • Connect:
  • Podcasts
  • Get the Book!
  • Contacts
  • Starting Up

    Starting Up

    a guide to starting a business

    • Business Planning
    • Business Ideas
    • Startup Checklists
    • Company Formation
    Reading: Data Access Requests
    • Business Banking
    • How to Guides
    • eCommerce
    Reading: Data Access Requests
  • Funding

    Funding

    raising finance and managing cashflow

    • Start Up Funding
    • Grants
    • Business Angels
    • Venture Capital
    Reading: Data Access Requests
    • Venture Debt
    • SEIS/EIS
    • Growth Capital
    • Bridging Loans
    Reading: Data Access Requests
    • Commercial Mortgages
    • Invoice Finance
    • Merchant Cash Advance
    Reading: Data Access Requests
    Get Quotes
  • Running

    Running

    managing a small business

    • Advertising
    • Social Media
    • Email Marketing
    Reading: Data Access Requests
    • Card Machines
    • Payment Gateway
    • Payments by Phone
    Reading: Data Access Requests
    • Remote Working
    • Serviced Offices
    • Virtual Office
    Reading: Data Access Requests
  • Growing

    Growing

    scale and grow your business

    • Scaling
    • Finance
    • Technology
    Reading: Data Access Requests
    • Accounting
    • Manufacturing
    • Tax
    • Marketing
    Reading: Data Access Requests
    • Import Export
    Reading: Data Access Requests
  • SME Update

    SME Update

    the latest news and expert advice

    • Lastest
    • Business Experts
    • Blogs
    • Business Advice
    Reading: Data Access Requests
    • Interviews
    • Books
    • Events
    • Agenda
    Reading: Data Access Requests
    • Wellbeing
    • Women in Business
    Reading: Data Access Requests
Reading: Data Access Requests
Newsletter
Font ResizerAa
Start Your Business MagazineStart Your Business Magazine
  • How To
  • Books
  • Podcasts
  • Interviews
Search
  • Agenda
  • Contact Us
  • Book Review
  • Blogs
  • Finance
  • Growing Business
  • How To
  • Interviews
  • Categories
    • Marketing
    • Startups
    • Advertising
    • Market Trends
    • Tech Moves
  • Marketing
  • SME Update
  • Starting Up
  • Technology
  • Wellness
  • Contact

Trending →

Investing in ETFs

Marketing Agencies

How to Start a Building Material Business

Communicate Better

The Strawman Theory Explained

Follow US
Start Your Business Magazine > Blog > SME Update > Data Access Requests
SME UpdateTechnology

Data Access Requests

Start Your Business
Share
6 Min Read
SHARE

Demystifying Data Subject Access Requests

One year on from the introduction of the General Data Protection Regulation (GDPR) and it is becoming clear that when it comes to Data Subject Access Requests (DSAR), organisations are confused regarding a desire to balance the rights of an individual with the needs of an organisation, John Potts (Head of DPO DSAR and Breach Support) GRCI Law, outlines the essential processes that companies must put in place to avoid falling foul of DSAR breach.

GDPR Misunderstanding

While subject access requests were in place under the Data Protection Act 1998 (DPA), growing personal data awareness has resulted in a significant spike in DSAR activity – and there is a degree of resentment regarding the way individuals are now using these new data rights. However, whether a business feels the DSAR is justified is in the main irrelevant: it is the law. Companies have a legal requirement to comply with a DSAR within one month – or face the wrath of the Information Commissioner’s Office (ICO), and a potential enforcement action which could mean a fine, it will always impact on the reputation of the organisation.

This deadline applies for any DSAR, whether it is created internally or externally. Indeed, a significant proportion of the rise in DSARs is in support of employee grievance and tribunals. Many employment lawyers will now typically file a DSAR for the relevant period(s), as part of any case – whether it is an employee fighting dismissal or filing a complaint against a colleague. Companies, therefore, need to recognise that in such cases these individuals know exactly what information the DSAR should include, whether that is an email trail or meeting notes. Don’t fall into the trap of overlooking the DSAR simply because a tribunal is underway: the right process must be in place to respond to every DSAR irrespective of who makes the request or why.

As such, it is essential to put in place a process for immediately recognising a DSAR. Individuals can make requests via any medium, from Twitter to email and letter. Fail to respond within the deadline, for whatever reason, and the individual can raise a complaint with the ICO, which will then investigate. In addition to ensuring DSARs are not overlooked for any reason, a company also needs a smooth escalation process and at least one individual trained to respond to the DSAR.

Exemptions and Third Party Data

While the majority of DSARs are simple, organisations will face some that raise questions. The way third party data is handled, for example, can be a minefield. Many companies believe it is simply a case of going through all the relevant data and redacting any names other than that of the individual that has made the request. That is not the case.

For example, if ten people were in a meeting and one of those makes a DSAR, there is no point redacting the names of those other nine individuals – everyone knows they were in the meeting. However, this approach cannot be applied to CCTV records, for example. An individual may accept the existence of CCTV in a nightclub, but that does not provide implicit agreement that their presence can be shared in a response to someone’s DSAR. Or take a police custody suite: even if faces are redacted, background conversations could infringe individual rights. When it comes to third party data, DSARs will have to be considered on a case by case basis, there is no blanket response.

Furthermore, there are a number of exemptions that can be applied to DSAR, including Legal Professional Privilege (LPP) for information exchanged between an individual and legal representative, as well as information relating to company finances or national security. The ICO will look at each exemption on a case by case basis and it is therefore essential to ensure each DSAR is annotated with the relevant exemption.

Conclusion

Failure to respond quickly to a DSAR is not going to automatically incur the huge fines associated with data theft. However, it is still a breach of GDPR and the ICO is not going to go easy on organisations that fail to put in place the right processes. DSARs are becoming a fact of life for every organisation; individuals know their rights and, as the rise in employee grievance inspired DSARs reveals, they are actively looking to use the new legislation to support their cause.

For any organisation process is key: monitor all incoming communication channels for DSARs and escalate quickly, the clock starts when the company receives the request. Put in place good professional support for any complex cases that may require exemption or redaction. And, critically, think hard about data retention strategies. The whole aim of GDPR is to make companies consider their data resources and move away from storing data for the sake of it. Only retain data that is relevant and you have a lawful reason for processing put in a place a retention policy with strong methods for recording, extracting and redacting if needed.

TAGGED:header
Share This Article
Facebook Copy Link

You Might Also Like ↷

The Wolves of Westminster

December 14, 2018

Health Plan

June 2, 2022

Business Booths:

November 9, 2020

How Technology Is Enhancing Businesses Everywhere

January 26, 2023
  • RSS
  • Terms And Conditions
  • Privacy Policy
  • Contact
  • Licensing
  • Contacts
  • Cookie Policy

Start Your Business Magazine: The Ultimate Business Start Up Guide provides information advice and guidance for entrepreneurs and new business start ups. Get the latest from us delivered directly to your inbox.

Start Your Business Magazine
  • Store
  • Features
  • Book
  • Trending
  • Topics
FacebookLike
XFollow
InstagramFollow
YoutubeSubscribe

Copyright 2026 Gambit Interactive Media Limited – All Rights Reserved.

Manage Cookie Consent
We use technologies like cookies to store and/or access device information. Cookies are used for ads personalisation We do this to improve browsing experience as well as show personalized ads. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
Go to mobile version