Handling Data Subject Access Requests (DSARs) can be a challenge for HR teams and employers, especially if employees want to use them to support ongoing grievances and tribunal claims. While the right to access personal data is a fundamental part of data protection law, a DSAR can trigger a sensitive, time-consuming process.
But don’t panic! A DSAR doesn’t mean you need to hand over everything. Instead, it’s about carefully reviewing the personal information that can identify the requester—such as emails, notes, and messages—and providing a lawful, timely response.
Here’s what you need to know to handle DSARs efficiently and legally.
What is a DSAR?
A Data Subject Access Request (DSAR) is a formal request made by an individual (or their representative) to access the personal data an organization holds about them. Under GDPR (General Data Protection Regulations), employees have the right to know how their data is being used, stored, and shared.
For HR, this means reviewing personal data across systems and departments and providing a response within a set period. While DSARs are a right under the law, HR teams often feel the pressure when they arise, especially if they relate to disputes or legal claims.
6 top tips for handling DSARs
1. Carefully review the request
When you receive a DSAR, read the request thoroughly to understand what’s being asked. Loop in IT early if you need help searching systems. Identify who in your team can help, especially if the request is large or involves multiple departments. Think about the data sources you need to review—this can include:
- Emails
- HR files
- Internal notes and records
- Messages on platforms like Slack or Microsoft Teams
If the request covers multiple systems or is large in scope, involve your IT team early on. They can help you search through systems more effectively and ensure you don’t miss anything.
2. Respond within one month (or request an extension)
By law, you must respond to a DSAR within one month of receiving it. However, if the request is complex or covers a large volume of data, you can extend this deadline by up to two additional months.
If you need this extra time, make sure you notify the employee in writing and explain why the extension is necessary.
3. Plan and prep
Proactive preparation can save you a lot of time and stress when a DSAR arises. Establish a consistent internal process for handling requests, and make sure your team knows how to:
- Conduct targeted searches for specific data.
- Identify when data can be withheld or redacted due to exemptions.
4. Training
Teaching DSAR best practices is crucial. When your staff understands the process, it improves both your response time and your ability to handle requests confidently.
5. Know what data you don’t have to disclose
Not all data has to be handed over. There are specific exemptions under data protection law, which include:
- Legally privileged documents (e.g. legal advice).
- Confidential information related to negotiations.
- Data about other individuals that cannot be disclosed without their consent (unless the information can be redacted).
If you rely on an exemption, always document your reasoning. This is particularly important if the DSAR is linked to a legal dispute or grievance, as it can help protect your organization if the request is challenged.
6. Ensure consistency
Consistency is key when handling DSARs. For example, if you treat a request related to a discrimination complaint differently than other requests, it could be seen as unfair and lead to victimisation claims.
Always follow the same process and guidelines for every request, regardless of the context. This will help maintain transparency and fairness throughout the process.
Keep calm and minimise legal and reputational risk
If handled well, a DSAR doesn’t need to be a headache. But if it’s mishandled, it could turn into a legal issue or damage your company’s reputation.
Here’s how to stay on track:
- Keep a cool head: Don’t rush through a DSAR. Take the time to review it thoroughly.
- Have a clear process in place, so everyone knows what to do when a DSAR arrives.
- Plan for early intervention: The earlier you start, the less stress you’ll face when deadlines approach.
By following these best practices, you can manage DSARs smoothly, stay compliant with data protection law, and protect your organization from unnecessary legal risks.
Stay ahead of the game by creating clear internal processes, training your staff, and always keeping the focus on transparency and fairness. Hunter Law is always here to help.
Further reading
Data protection: The UK’s data protection legislation – GOV.UK
If you enjoyed this blog then perhaps you’d like to sign up to our monthly newsletter. We’ll keep you updated on what’s new in employment law.
The team at Hunter Law is here for you. We can handle your HR issues, finesse your policies, and keep you up-to-date on evolving legislation. Please get in touch with our legal team, we’d love to help.
