Data subject access requests: a guide for employers

With such connectivity comes data, and with that data comes significant obligations under data protection legislation. For employers, responding to a Data Subject Access Request, commonly known as a DSAR, can be one of the most challenging obligations to comply with. Employers are often grappling with the difficulties of searching, collating and managing data whilst simultaneously balancing this with strict statutory timeframes and cost and resource pressures.

Handled well, an employer can demonstrate compliance and build trust within the workforce. Handled poorly, it can expose a business to regulatory scrutiny, reputational damage and penalties and fines.

The stakes are high, and employers need to know what a DSAR is and what to do if they receive one.

Under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, an individual (known as the “data subject”) has the right to access copies of their personal data and to know how that data is held and processed. These rights are regulated in the UK by the Information Commissioner’s Office (ICO).

In the employment context, employees, former employees, contractors and even job candidates can make a DSAR. Crucially, DSARs are not required to be in a specified form, nor do they have to be addressed to a specific person within your organisation. Whilst in theory, DSARs can be made at any time and for any reason, in practice requests usually follow a workplace dispute or grievance and are often seen as a precursor to formal action in the Employment Tribunal.

The process for responding to a DSAR can be broken down into four stages:

1. Verification & clarification
2. Searches
3. Review
4. Disclose

Employers should first satisfy themselves that the request came from the data subject, or someone acting on their behalf. If a request is unclear, employers can seek clarification from the data subject; however, they should refrain from limiting the scope too narrowly, without the data subject’s consent.

An employer’s obligation is to conduct a “reasonable and proportionate” search for the data subject’s personal data. This obligation, whilst not new, has recently been codified into law by the Data (Use and Access) Act 2025. There is no one size fits all approach and employers need to determine what a reasonable and proportionate search looks like for them considering the scope of the request, the nature of the business and the resources available.

It is no surprise that with a reliance on digital communications, searches of emails and messaging platforms in particular can produce a significant amount of data. According to the Microsoft Work Trend Index Special Report (June 2025), the average employee receives 117 emails and 152 Microsoft Teams messages on average, per working day. When dealing with large datasets, employers need to be aware that volume of documents and/or insufficient IT infrastructure is not a defence for not complying with a DSAR.

Once employers have collated the dataset, the next stage is to review. Employers first need to assess whether the documents in question contain the data subject’s personal data (and therefore may fall within scope to be disclosed) and if so, whether any third-party data should be disclosed or redacted, and whether any legal exemptions apply. Employers will need to balance the rights of the data subject with the rights of third parties and this is not always straightforward.

Once the dataset has been reviewed, the final stage is to disclose the personal data to the data subject, along with the required supplementary information. For transparency purposes, it is good practice to explain to the data subject how their request has been managed and what information has been provided. Under the Data (Use and Access) Act 2025, employers must also inform the data subject of any legal exemptions they have relied on to withhold data.

Employers must respond to a DSAR within 1 month of receipt, unless the request is considered complex and an extension has been sought. Whether a request is considered complex will depend upon the specific circumstances of each matter; however, it is important to note that a large volume of documents does not necessarily mean a request is likely to be considered complex.

Employers can refuse to respond to a DSAR if it is “manifestly unfounded or excessive”. Each request must be considered on its own facts when determining whether it is reasonable to refuse to comply. In any event, employers should ensure any refusal, and the reasons for this, are clearly documented in the event of challenge.

Yes, unless the DSAR in question has been validly withdrawn under the terms of the settlement agreement, employers must comply with the request or otherwise risk regulatory action. Employers should be wary of seeking to override an individual’s right of access under a settlement agreement and ICO guidance has confirmed such clauses are likely to be unenforceable.

If an employer fails to respond to a DSAR, whether in full or at all, the data subject may make a complaint to the ICO. The ICO can take enforcement action against a non-compliant employer by issuing warnings, reprimands, enforcement notices and/or penalty notices. Financial penalties can be awarded up to the higher of £17.5 million or 4% of the total annual worldwide turnover of the business, in the preceding financial year.

Awareness – ensure your staff are comfortable with what a DSAR is, what it can look like and who they should direct requests to.

Act quickly – the clock starts ticking when a DSAR is received. Ensure deadlines are diarised and if a request is unclear, seek clarification at an early stage.

Process – ensure you have a documented process for handling DSARs – what are the key timeframes, where is data held, which internal stakeholders do you need to consult.

Data retention – One of the principles under data protection legislation is storage limitation, i.e. you must not keep personal data for longer than you need it. Review your data retention policies to ensure these are fit for purpose and are being complied with in practice.

Dealing with DSARs can be complex and time consuming. We regularly advise clients on all aspects of DSARs and data protection compliance from advising on the validity and scope of requests to delivering compliance training and reviewing relevant policies to undertaking the management of DSARs on behalf of our clients so that they can focus their attention on other matters.