Navigating DSARs: What Businesses Need to Know

The Data (Use and Access) Act 2025 (DUAA) introduces changes to how businesses are expected to manage these access requests.

What is a DSAR?

A DSAR is a request by an individual to receive a copy of their personal data. DSARs allow individuals to better understand how their data is being used by businesses, with whom it is being shared, and whether it is being handled lawfully.

The UK GDPR does not require an individual (the requestor) to use a specific form when making a valid DSAR. As long as it is clear that an individual is asking for access to their personal data, a request can be made verbally or in writing, including through social media channels. It is also possible for an authorised third party, such as a trusted family member or a solicitor, to make a DSAR on behalf of another individual.

What should a business do upon receiving a DSAR?

Before responding to a DSAR, businesses should check that the information the requestor is seeking meets the definition of personal data under the UK GDPR. Article 4 of the UK GDPR defines “personal data” as any information which can directly or indirectly identify an individual, such as names, contact details and employment information.

It is also important that businesses are satisfied that the requestor is asking for their own data. Businesses are entitled to ask for identification if there is any doubt around an individual’s identity.

What information is the requestor entitled to?

Requestors are entitled to a copy of their personal data and any other relevant supplementary information. They also have the right to receive confirmation of how businesses are handling and processing their personal data, such as:  

1. the purposes for which it is being processed;
2. the length of storage periods (i.e. data retention);
3. to whom the data has been disclosed; and
4. whether automated decision-making processes have been used.

All responses to DSARs should have this information presented in an accessible, concise and clear format, with a copy of their personal data attached. Further, while there is no obligation on businesses to confirm receipt of a DSAR, it is best practice to acknowledge receipt and provide a deadline for compliance in line with statutory rules.

The existing position is that businesses are required to conduct a reasonable search for the requested information. The UK GDPR clarifies that businesses are not obliged to take excessive steps to comply with a DSAR where the search would be unreasonable or disproportionate to the information requested.

When can businesses refuse to comply with a DSAR?

Businesses are not always required to comply with a DSAR. For example, if an individual makes a request which is manifestly unfounded or manifestly excessive, a business can refuse to comply. In this case, the business must inform the individual of the reason for its refusal and inform them of their right to complain to the Information Commission (ICO) and their ability to seek enforcement action through the courts.

The Data Protection Act 2018 (DPA 2018) also sets out certain exemptions which allow businesses to refuse to comply with a DSAR, either in whole or in part. For example, businesses do not have to respond if, in doing so, they would be disclosing information about another individual who has not consented to such disclosure, and it would be unreasonable to comply with the process without that third party’s consent. Other exemptions under the DPA 2018 include crime and taxation, public interest exclusions and information subject to legal professional privilege, which covers both litigation privilege and legal advice privilege. Businesses must now inform the requestor if relying on legal professional privilege to withhold documents and the requestor’s right to make a request to the ICO to review the applicability of the exemption.

Failure to comply with a DSAR without a valid exemption may lead to action being taken against the business by the ICO or by court order on the application of the requestor.

Timeline

Businesses must comply with a DSAR without undue delay and within one month of receiving the request.

Data (Use and Access) Act 2025

The DUAA, which received Royal Assent on 19 June 2025, was introduced to supplement and simplify existing data protection laws, including the UK GDPR, the DPA 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR).

The DUAA inserts a new provision into the UK GDPR, requiring businesses to conduct a “reasonable and proportionate” search for information requested under a DSAR, rather than a reasonable search as before. This change largely codifies the ICO’s existing guidance and is intended to clarify, not substantially alter, the standard expected of businesses. In practice, this will likely mean that businesses are not burdened with having to conduct extensive searches for documents that are not justified in light of the nature of the request.

The DUAA also introduces mechanisms to extend the timeline for responding in certain circumstances. These changes do not replace the standard response timeframe of one month, however, they provide flexibility for businesses when faced with complex or unclear DSARs. For example, if businesses need to verify the identity of the requestor, the time for response does not start until the requested identification is received and the business is satisfied that it is directly dealing with the correct individual. This “stop the clock” mechanism also applies where further clarification of the request is needed.

Equally, the time limit for responding can be extended by a further two months if the request is particularly complex or the individual has submitted multiple requests. If this is the case, the business must notify the requestor of the extension within one month of receipt of the DSAR.

Other useful information

Businesses cannot generally charge a fee for processing a DSAR. Only in limited circumstances would this be acceptable, for example where the request is manifestly unfounded or excessive, or where the request involves repeated copies of the same information.

Comment 

For businesses, DSARs remain a key transparency obligation under the UK GDPR, giving individuals broad rights to access their personal data and understand how it is used, shared, and protected. The DUAA refines this process by clarifying that businesses must conduct a reasonable and proportionate search – reducing the need for overly burdensome, exhaustive investigations – and introduces greater flexibility through “stop‑the‑clock” mechanisms and potential extensions where requests are unclear, complex, or require identity verification. In practice, this means businesses should maintain robust data‑mapping and governance systems to locate information efficiently, acknowledge DSARs promptly, and manage expectations around timelines, while also understanding when an exemption or refusal may lawfully apply.