.A Data Subject Access Request, or DSAR, is any request made by an individual for their own personal data. While they are quick and easy for an individual to make, many long hours and significant resources from your organisation will be needed in order to properly respond.

Personal data is broadly defined as any information relating to an individual who can be identified from that information, or in combination with other information, that your organisation possesses. This means that the information does not have to refer to an individual by name, so long as they can be identified by other means, for example, their initials or ID number. Personal data includes information that may be known to the individual or that is within the public domain. Importantly, personal data also includes any recorded opinion of that individual.

Since the GDPR[1] came into force, there has been a growing understanding and awareness of our individual rights when it comes to our personal data. With that, the Information Commissioner’s Office (ICO) has seen a steady increase of data-related concerns and complaints from May 2018. The most frequently received category of complaints continues to be DSARs which make up approximately 46% of UK GDPR casework received by the ICO, and of the data protection complaints received by the ICO 462 related to the charitable and voluntary sector (https://ico.org.uk/media/about-the-ico/documents/2620166/hc-354-information-commissioners-ara-2020-21.pdf).

While DSAR complaints continue to increase in numbers and the deadline to respond remains fixed despite practical delays brought on by COVID-19, DSAR awareness and know-how will be crucial to your organisation now and in the future.

This DSAR guide is intended to provide a list of common pitfalls when dealing with DSARs and how to improve your organisation’s response before it becomes an issue.