Navigating DSARs in the UK A Step by Step Guide with 2025 Data Access Act Changes
- Apr 7
- 3 min read
Data Subject Access Requests (DSARs) have become a critical part of data privacy rights in the UK. With the introduction of the Data (Use and Access) Act 2025, the landscape of DSARs is evolving, bringing new responsibilities and clearer processes for organisations and individuals alike. This guide breaks down everything you need to know about DSARs in the UK, including practical steps to handle requests and how the 2025 Act changes the rules.
Understanding DSARs and the recent legislative updates will help you manage data requests efficiently and stay compliant with UK law.
What is a Data Subject Access Request (DSAR)?
A Data Subject Access Request is a formal request made by an individual to an organisation, asking for access to the personal data that organisation holds about them. Under UK data protection laws, individuals have the right to know what information is collected, how it is used, and who it is shared with.
DSARs are a key part of the UK’s commitment to transparency and control over personal data. Organisations must respond to these requests within a set timeframe and provide the requested information free of charge, unless the request is unfounded or excessive.
Why DSARs Matter
DSARs empower individuals to:
Understand what personal data organisations hold about them
Verify the accuracy of their data
Request corrections or deletions if necessary
Gain insight into how their data is being used or shared
For organisations, handling DSARs correctly builds trust and avoids legal penalties. Non-compliance can lead to fines and damage to reputation.
Key Changes Introduced by the Data (Use and Access) Act 2025
The Data (Use and Access) Act 2025 introduces several important updates to the DSAR process:
Reasonable and Proportionate: Organisations are only required to conduct a reasonable and proportionate search for personal data focusing on those most likely to contain the requested information.
Documentation and Compliance: Organisations must document their search processes and decisions regarding the scope of their searches. This documentation is crucial to demonstrate compliance and to defend against any claims of incomplete searches.
Stop the Clock: If more information is needed the response time pauses until the information is provided.
What Organisations Must Do When They Receive a DSAR
Once an organisation receives a DSAR, they must:
Acknowledge receipt promptly: Usually within a few days.
Verify the requester’s identity: To avoid data breaches.
Locate all relevant data: This includes emails, databases, CCTV footage, and automated profiling data.
Review the data: Remove any information that relates to other individuals or is exempt from disclosure.
Provide the data: Deliver the information in a clear, accessible format, usually electronically.
Meet the deadline: Extensions are possible only in complex cases, with clear communication.
Handling Complex or Multiple Requests
Some DSARs can be complicated, especially when:
The requester asks for large volumes of data.
Data involves third parties or sensitive information.
The request is unclear or broad.
Organisations should:
Communicate with the requester to clarify the scope.
Break down the response into manageable parts if needed.
Document all steps taken to comply.
Practical Tips for Organisations to Prepare for DSARs
To stay compliant with the 2025 Act, organisations should:
Train staff on DSAR procedures and legal requirements.
Maintain clear records of data processing activities.
Implement secure identity verification methods.
Use software tools to locate and extract personal data efficiently.
Communicate transparently with requesters throughout the process.
Practical Tips for Individuals Making DSARs
For individuals, these tips help make DSARs effective:
Be clear and specific about the data you want.
Provide accurate identity documents.
Keep track of deadlines and follow up if needed.
Understand your rights under the new 2025 Act.
Use the ICO’s resources for guidance.
Comments