Manchester: 0161 797 8123

London: 0207 438 2045

Manchester: 0161 797 8123

London: 0207 438 2045


News, events, media, seminars and more

Responding to a Data Subject Access Request

Data Subject Access Request

Have you been approached with one or more Data Subject Access Requests (DSARs)?

We have the expertise to acquire, process and search across large volumes of data.

The increased usage of electronic devices has seen a prolific rise in the amount of data being generated. With the advent of stringent regulations such as the GDPR, individuals are now more aware of their rights and control how their data is processed and distributed. One such tool is the ‘Data Subject Access Request’.

What is a Data Subject Access Request?

A data subject access request (commonly referred to a ‘DSAR’ or ‘SAR’) is a request made by an individual for information which they are entitled to under section 7 of the Data Protection Act 1998 (DPA). It is often used by individuals who want to exercise the right to be provided with a copy of the information an organisation holds about them, which can include:

  • Confirmation that their personal data is being processed;
  • A copy of the personal data in the company’s possession;
  • The purposes for which it is being processed and whether it is shared with any third parties;
  • Details of the source of the data (where available);
  • Structured and unstructured data.

What is classified as personal data?

For information to be personal data, it must relate to a living individual. It must also allow that individual to be clearly identified from it when viewed in isolation, or in conjunction with other information likely to come into the organisation’s possession.

What to do if your client receives a DSAR?

Firstly, ensure the request is valid. A valid data subject access request is one which:

  • Provides all the information required to locate the information the person wants;
  • Provides sufficient information to verify the data subject’s identity.

It is unlikely that the first contact from the data subject will provide all the relevant information, in which case you must respond to the data subject.

Calculate the Response Deadline

Make sure you and your client know the deadline for response. You have a period of 30 days to provide the information requested once all necessary information has been received. Failure to comply can result in a maximum fine of 4% of annual turnover or $20 million euros, whichever is higher.

What data should be provided?

There may be a mix of data that qualifies as personally identifiable data relating to other people and information that is not personally identifiable whatsoever. Separate documents within an overall file must be considered on their own merits. The output of the investigation must be provided to the individual in an intelligible format. In most cases, this information must be communicated to the requester by supplying them with a physical copy of the data, such as a photocopy or print out of the relevant information.

Data controllers & data processors

Since the introduction of the GDPR, both data controllers and data processors can be subject to DSARs. GDPR has also meant that the fee for an individual to lodge a request has been removed (previously a fee of £10 applied). As individuals become more and more aware of their right to lodge DSARs, organisations are coming under increasing pressure to deal with these requests.

Dealing with subject access requests can be a complex and time-consuming task.

This is especially the case if the volume of personal data held by the organisation is extensive and is held in various formats across a range of systems, including legacy data. Complications are further compounded if the ‘subject’ requests unstructured data.

Data screening information

Not all personal information may be liable for disclosure. Once you have collated the information you hold about a data subject you must assess it in order to establish whether it is disclosable. You should only disclose information relating to the person making the data subject access request. Where a document contains personal data about several individuals, including the data subject, you should redact the information attributed to the third parties.


CYFOR can digitally redact any relevant documents that contain sensitive information not disclosable to the particular data subject (e.g. they may be legally privileged or contain information about another individual).

How can CYFOR assist you?

As leading digital forensics and electronic disclosure experts, CYFOR have the necessary expertise to assist organisations dealing with data subject access requests. We have at our disposal a large team of technicians that specialise in forensic data acquisition, as well as advanced online review platforms. These are specifically designed to search, filter and process large volumes of electronic data, identifying the information you require in a time and cost-effective manner.

CYFOR Data Subject Access Request Workflow

Data Subject Access Request

Back to all Posts

Call us today and speak with a Forensic Specialist

London: 0207 438 2045

Manchester: 0161 797 8123

Feel free to send us an enquiry

  • This field is for validation purposes and should be left unchanged.

After submitting an enquiry, a member of our team will be in touch with you as soon as possible

Your information will only be used to contact you, and is lawfully in accordance with the new General Data Protection Regulation (GDPR) act, 2018.