Our blog is a hub for HR insights, trends, and expert advice on all things related to HR, recruitment, and workforce management. We’re dedicated to sharing our knowledge, fostering innovation, and providing valuable resources for businesses and HR professionals.
Latest News
5th June 2025
A data subject access request (DSAR) is a formal request made by an individual to access the personal data that your organisation stores about them.
Under the UK GDPR and the Data Protection Act 2018, this is a legal right which businesses must respond to within a strict timeframe.
For HR professionals, DSARs are a common occurrence. They often arise during grievances, workplace disputes, or prior to Employment Tribunals, making it critical to understand how to respond quickly, accurately, and legally.
In this blog post, we’ll break down the legal basis for DSARs, the types of information they cover, the procedure for handling them, key exemptions, common pitfalls, and how we can help.
Anyone can submit a DSAR, whether they are a current or former employee, a job applicant, or someone who has simply interacted with your company. There is no formal process required.
Requests can be submitted in writing, via email, or through social media channels. The key requirement is that the request be clear enough for the organisation to understand what is being asked.
Once a valid request is received, the organisation is legally required to respond within one calendar month.
In some cases, the deadline can be extended by two months, but only if the request is particularly complex or involves multiple data sets. In either case, the requester must be notified of any extension in writing, along with a clear explanation.
Failure to meet the legal requirements of a DSAR may result in complaints being filed with the Information Commissioner’s Office (ICO). In more serious cases, it may lead to legal action, fines, or reputational damage.
When responding to a data subject access request, it’s essential to understand what information must be disclosed.
The most obvious examples in an HR context are:
However, there are some less obvious sources of personal data that should not be overlooked. These may include:
However, not all information should be shared without consideration.
If the requested documents include references to other people, those parts must be redacted unless the third party’s consent is obtained.
Where redaction is not possible or would jeopardise someone else’s privacy, the information may have to be withheld entirely, but this must be justified and clearly documented.
Managing a data subject access request does not have to be difficult, as long as you follow a structured procedure.
Here’s a practical breakdown of each key stage:
When you receive the request, create a formal record straight away.
Note the date it was received, how it was submitted, and the requester’s full name and contact information. This starts the countdown to your response timeframe.
Ensure that the person making the request is who they claim to be.
If there is any uncertainty, such as when the request is made or appears to be vague in an unfamiliar email, request suitable ID to avoid disclosing personal data to the wrong individual.
Although individuals have the right to request all personal data held about them, large or complex cases may benefit from clarification on the scope of their request.
Ask them politely if they can specify specific timeframes, topics, or document types to make the process more efficient.
DSARs often require input from multiple departments.
Allocate clear roles early on, for example, HR may handle employee records, IT may be responsible for retrieving digital files, and legal may review for compliance.
You should ensure that all parties involved are fully aware of the overall deadline to avoid any delays.
Take a comprehensive view of where personal data could be stored.
This includes inboxes, instant messaging platforms, shared folders, archived files, and any third-party systems you use for HR, payroll, or communications.
Once all data sources are identified, begin retrieving information that relates specifically to the requester.
Don’t overlook informal records like internal notes or calendar entries, as mentioned earlier, these may still constitute personal data.
Determine whether third parties are named or identifiable. You must redact names or obtain consent before including this information.
Always strike a balance between transparency and the obligation to respect others’ privacy.
The UK GDPR allows certain content to be withheld in certain circumstances, which we will discuss later in this blog post.
Use these exemptions with caution, document your reasoning, and be prepared to explain them if challenged.
Organise the information logically and make it easy to understand.
Redact anything that should not be disclosed and consider adding brief explanations where the content appears confusing or incomplete without context.
Send the final disclosure using a secure method, such as encrypted email or password-protected files.
Include a clear cover letter summarising the contents, referencing the original request, and providing contact details in case the requester has any questions or concerns.
In addition to requests involving data that includes information about other individuals, here are some of the most common DSAR exemptions relevant to HR:
Information that is subject to legal advice or is part of ongoing or anticipated litigation can be lawfully withheld from a DSAR.
This includes confidential communications between the organisation and its legal advisors, as long as they meet the requirements for legal professional privilege.
To qualify, the advice must be given by a qualified legal professional and be intended as guidance, rather than general business advice.
If disclosing certain communications would jeopardise ongoing or planned negotiations, such as discussions about settlements, redundancies, or contract terms, they may be exempt from disclosure under the DSAR.
This exemption is intended to preserve the integrity of sensitive conversations, but it should be used with caution.
Employers must be able to justify that disclosure would genuinely prejudice the negotiation process, and they should clearly document their reasoning.
Data related to business planning or organisational restructuring may be withheld if disclosure would negatively impact the company’s decision-making process or operational stability.
This exemption is especially important during sensitive periods like redundancy consultations, mergers, and internal reorganisations.
If disclosing the information could lead to confusion, unrest, or compromise strategic decisions, employers may be justified in withholding it.
Whichever exemption you apply for, you must be able to justify it with clear reasoning and documentation.
Overusing or misapplying exemptions can have serious consequences, ranging from employee distrust to formal complaints or investigations by the Information Commissioner’s Office (ICO).
A cautious, transparent approach is always best.
Even well-intentioned HR departments can make errors when responding to data subject access requests.
Here are some of the most common pitfalls, and why avoiding them is important:
Finding the right balance in your response is critical, as both under- and over-disclosure can cause problems.
Missing key documents or overlooking data sources can result in an incomplete response, potentially breaching the individual’s rights.
On the other hand, including irrelevant, excessive, or inadequately redacted information may reveal confidential information and violate privacy laws.
To avoid these pitfalls, you must conduct a thorough review and exercise caution.
Comparable DSARs being treated differently, particularly when they involve grievances, disciplinary actions, or discrimination claims, can raise serious concerns.
If one request is handled more quickly or thoroughly than another, it may create the impression of bias or unfair treatment.
Maintaining consistency in how you process and respond to all DSARs is critical to avoiding reputational and legal issues.
Postponing engagement with IT or legal colleagues can result in unnecessary delays and complications.
Early input from IT helps identify all relevant data sources efficiently, while legal can flag risks, apply exemptions appropriately, and ensure compliance.
Bringing in the right expertise at the right time simplifies the process and reduces the possibility of costly mistakes.
Preparation is essential, and it begins with a clear, well-defined internal DSAR policy.
A strong policy outlines responsibilities, timelines, and procedures, allowing your team to respond accurately and on time.
Employee training is just as important. DSARs can affect multiple departments, so employees must understand the process, recognise requests when they arrive, and know when to escalate them.
Regular, role-specific training keeps your team sharp and reduces the risk of mishandling sensitive data.
Another important step is to keep a library of response templates and a detailed audit trail for each DSAR. These tools not only simplify the response process, but they also provide transparency and accountability, which is essential if you are ever audited or challenged on your response.
Ultimately, a proactive approach reduces stress, minimises errors, and ensures that you are always prepared to respond within the strict legal timeframes.
At Sapphire HR, we understand that responding to data subject access requests can be overwhelming.
That is why we provide tailored support to help you manage DSARs with confidence, security, and full compliance with data protection regulations.
Our team has extensive experience guiding businesses through all stages of the DSAR process.
We can work closely with you to:
We can provide ongoing partnerships and ad hoc support through our flexible HR Unlimited and HR On Demand services, depending on what is best for your business.
Working with us saves you time, reduces the risk of errors, and ensures that each DSAR is handled with care and professionalism.
Get in touch today for expert support.
Here to Help, Not Replace Experts:
The information contained in this blog presented for general informational purposes only. While we strive to provide accurate and up-to-date content, legal and HR practices can evolve rapidly. This blog is not a substitute for professional advice.
For specific questions or concerns regarding your unique situation, we highly recommend taking professional advice and booking a consultation with a Sapphire HR Consultant. Our consultants are experts in the field and can provide tailored guidance to address your specific needs.
We aim to work truly in partnership with our client organisations and to develop a high-quality, competent HR Service for all clients, the HR Provider that they can rely on and who gets to understand the culture and vision of your business.
