Step by Step Guide to Implementing DSAR in Compliance with the Data (Use and Access) Act 2025

Data Subject Access Requests (DSARs) have become a crucial part of data protection and privacy management for organisations. With the introduction of the Data (Use and Access) Act 2025, companies must adapt their DSAR processes to meet new legal requirements. This guide walks you through each step of implementing an effective DSAR system that complies with the latest legislation, ensuring your organisation respects individuals' rights while managing data responsibly.

Understanding DSAR and the Data (Use and Access) Act 2025

A Data Subject Access Request allows individuals to request access to their personal data held by an organisation. The Data (Use and Access) Act 2025 introduces stricter rules on how organisations must handle these requests, emphasising transparency, timeliness, and security.

Key points of the Act include:

• Shortened response times: Organisations must respond within 15 calendar days.

• Expanded scope: Requests now cover data shared with third parties.

• Verification requirements: Stronger identity verification to prevent unauthorised access.

• Clearer communication: Responses must be easy to understand and include details on data use.

  
  

Understanding these changes is essential before designing your DSAR process.

Step 1: Assess Your Current DSAR Process

Begin by reviewing your existing DSAR procedures:

• Identify how requests are received (email, web form, mail).

• Check current response times and whether they meet the new 15-day requirement.

• Review how you verify requesters’ identities.

• Evaluate how you track and document requests.

• Assess communication templates for clarity and completeness.

  
  

This assessment highlights gaps and areas needing improvement to comply with the new law.

Step 2: Design a Clear DSAR Policy Aligned with the Act

Create or update your DSAR policy to reflect the Data (Use and Access) Act 2025 requirements. The policy should include:

• Scope of requests: Define what data can be requested, including third-party shared data.

• Request submission methods: Provide multiple accessible channels.

• Verification process: Outline steps to confirm identity securely.

• Response timeline: Commit to the 15-day deadline.

• Communication standards: Use plain language and include explanations of data use.

• Data protection measures: Ensure data is shared securely.

  
  

Make the policy available to employees and data subjects to promote transparency.

Step 3: Train Your Team on New DSAR Procedures

Your staff must understand the updated DSAR process and legal obligations. Training should cover:

• Recognising and logging DSARs promptly.

• Conducting identity verification without infringing privacy.

• Locating and compiling relevant data, including third-party information.

• Communicating clearly with requesters.

• Documenting actions taken for audit purposes.

  
  

Regular refresher sessions help maintain compliance and reduce errors.

Step 4: Implement Technology Solutions to Support DSAR Management

Handling DSARs manually can be time-consuming and error-prone. Consider adopting software tools that:

• Automate request intake and tracking.

• Integrate with data repositories to locate personal data quickly.

• Support secure identity verification.

• Generate standardised response letters.

• Maintain audit trails for compliance reporting.

  
  

Choose solutions that can adapt to evolving legal requirements and scale with your organisation.

Step 5: Establish a Verification Process That Balances Security and User Experience

The Act requires strong verification to prevent data breaches but also demands a smooth experience for requesters. Best practices include:

• Requesting government-issued ID or other official documents.

• Using multi-factor authentication for online requests.

• Limiting the amount of personal information collected during verification.

• Providing clear instructions on verification steps.

  
  

Ensure your verification process complies with privacy principles and does not create unnecessary barriers.

Step 6: Create a Workflow for Data Collection and Review

Efficiently gathering all relevant data is critical. Your workflow should:

• Identify all systems and third parties holding personal data.

• Assign responsibility for data retrieval.

• Review data for accuracy and relevance.

• Remove any information that is exempt or irrelevant.

• Prepare data in a secure, accessible format for delivery.

  
  

Document each step to demonstrate compliance and facilitate audits.

Step 7: Communicate Clearly and Deliver Data Securely

When responding to DSARs:

• Use plain language to explain what data is provided and how it is used.

• Include information about the requester’s rights under the Act.

• Deliver data through secure channels, such as encrypted email or secure portals.

• Offer assistance if the requester has questions or needs clarification.

  
  

Clear communication builds trust and reduces follow-up requests.

Step 8: Monitor and Review Your DSAR Process Regularly

Compliance is an ongoing effort. Set up regular reviews to:

• Track response times and identify delays.

• Analyse common issues or request types.

• Update policies and training based on feedback and legal updates.

• Audit data security measures related to DSAR handling.

  
  

Continuous improvement helps your organisation stay compliant and responsive.