DSAR Software for Small Businesses: What UK SMEs Actually Need

Search for "DSAR software" and every result costs £10,000+ per year, requires a dedicated privacy team to implement, and was built for enterprises processing thousands of requests across global data estates.

If you are a UK SME handling 1–20 subject access requests a year, none of that is relevant to you. Here is what actually matters when choosing DSAR tools for your business.

This guide covers UK SME requirements for DSAR handling tools. It is not legal advice.

The SME DSAR problem

UK employers must respond to subject access requests within one calendar month under UK GDPR. The Data (Use and Access) Act 2025 (section 78) adds a "reasonable and proportionate search" standard — you need to document what you searched and why.

Most SMEs handle SARs with a combination of:

• Email chains between HR, IT, and the line manager
• Word documents for the response letter
• A spreadsheet (or nothing) for deadline tracking
• No documented audit trail

This works until it does not. According to the ICO's annual report, over 16,000 SAR-related complaints were received in 2022-23 — a 23% year-on-year increase. A single ICO investigation can consume weeks of management time. In an employment tribunal, an incomplete or late SAR response damages your credibility.

What DSAR tools do SMEs actually need?

Enterprise privacy platforms solve a different problem. They automate data discovery across hundreds of integrated systems, manage cross-border transfer assessments, and process thousands of requests per month. An SME with 50 staff, one HR system, and a few SARs per year does not need any of that.

Here is what SMEs actually need from DSAR handling software:

1. Deadline tracking with calendar awareness

The tool should calculate the one-month deadline automatically from the date you log the SAR. It should account for:

• Calendar month calculations (31 January → 28 February)
• Weekend and bank holiday adjustments on the final day
• The DUAA 2025 stop-the-clock mechanism — pausing the clock while waiting for identity verification or clarification
• Two-month extensions for complex requests

Most enterprise platforms include this, but so should any tool priced for SMEs. If you are still tracking deadlines manually, try the SAR deadline calculator — it handles the full calculation including stop-the-clock adjustments.

2. A guided workflow — not just a dashboard

Enterprise tools assume the user knows the SAR process. SME tools should guide you through it:

• Identity verification — what to request, when the clock pauses
• Search scope definition — which systems to check, what counts as personal data
• Exemption checking — which DPA 2018 Schedule 2 exemptions apply and how to document them (see SAR Exemptions Explained for a detailed guide, or try the SAR exemption checker)
• Redaction — what to remove, how to log decisions
• Response generation — compliant cover letter with supplementary information

The difference matters. A dashboard tells you a SAR is overdue. A guided workflow prevents it from becoming overdue in the first place.

3. An audit trail the ICO can review

If a requester complains to the ICO, you need to demonstrate:

• What search you conducted and why it was reasonable
• Which exemptions you applied and your justification for each
• What you redacted and why
• That the response was dispatched within the deadline

The DUAA 2025's "reasonable and proportionate search" standard makes this explicit. Your audit trail is your evidence.

Enterprise platforms generate audit trails as a side effect of their complex workflows. An SME tool should build the audit trail into the workflow itself — logging each step as you complete it, not requiring you to retrospectively document what you did.

4. Response letter templates

A compliant SAR response is more than "here's your data." It must include:

• Confirmation you are processing the individual's personal data
• A copy of the data in a commonly used format
• The purposes of processing
• Categories of data held
• Recipients or categories of recipients
• Retention periods
• The individual's rights (rectification, erasure, complaint to ICO)

Writing this from scratch every time is error-prone. Template letters — pre-populated with the SAR details — save time and reduce compliance risk.

The SAR response letter generator creates these templates for free — acknowledgement letters, identity verification requests, response cover letters, extension notices, and partial exemption explanations.

5. Affordable pricing

The pricing gap in DSAR software is stark:

Approach	Annual cost	What you get
DIY (Word + email + spreadsheet)	£0	No audit trail, no deadline tracking, no exemption guidance
One-off templates from legal sites	£30-50	Static documents, no workflow or tracking
Enterprise privacy platforms	£10,000+/year	Full automation — massively over-specified for SMEs

The gap between £50 one-off templates and £10,000+/year enterprise platforms is where most UK SMEs sit. An SME handling a few SARs per year needs a tool priced in the tens of pounds per month — not thousands.

Features you do NOT need

Enterprise DSAR platforms pack features that make sense at scale but add unnecessary complexity for SMEs:

• Automated data discovery — scanning hundreds of integrated systems for personal data. If you have one HR system and an email server, you know where the data is.
• Cross-border transfer impact assessments — relevant for multinationals, not for a UK employer with staff in one country.
• Consent management — a separate compliance function that has nothing to do with SAR response.
• Cookie banner management — bundled by privacy platforms as an upsell. Irrelevant to SAR handling.
• Privacy impact assessment workflows — valuable, but a separate tool for a separate purpose.

If a vendor bundles all of these into a "privacy suite" and prices accordingly, you are paying for capabilities you will never use.

How to evaluate DSAR software for your SME

Ask these five questions before committing to any tool:

1. Does it guide you through the process, or just track requests? A tracking dashboard is not enough if nobody on your team has handled a SAR before.

2. Does it handle UK-specific requirements? UK GDPR, DPA 2018 exemptions, and DUAA 2025 provisions differ from EU GDPR. Tools built for the EU or US market may miss UK-specific nuances (the stop-the-clock mechanism, Schedule 2 Part 4 exemptions, UK enforcement thresholds).

3. Does it create an audit trail automatically? If you need to manually document what you searched and why after the fact, the tool is not saving you enough time.

4. Can you be operational in under an hour? Enterprise platforms take weeks to implement with professional services. An SME tool should work from day one.

5. Is the pricing transparent? If you need to "book a demo" or "contact sales" to see pricing, the tool is not built for SMEs. SME buyers expect to see the price on the website and sign up without a sales call.

What dsartracker is building

dsartracker is a SAR response tracker designed specifically for the gap described above — UK SMEs handling employee SARs without a dedicated DPO.

It guides you through every step: log the incoming SAR, calculate the deadline (including DUAA 2025 stop-the-clock), follow a structured workflow for identity verification, search scope, exemption checking, and redaction, generate response letters from templates, and export an audit-ready compliance pack. For a walkthrough of the full SAR response process, see How to Respond to a Subject Access Request from an Employee.

Planned free tier: SAR deadline calculator + 2 requests/year. Planned paid tier: unlimited requests with the full workflow.

Join the waitlist for early access.

Sources

• ICO — Right of access (subject access) guidance
• Data (Use and Access) Act 2025 — Section 76 (time limits)
• Data (Use and Access) Act 2025 — Section 78 (reasonable and proportionate search)
• Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)