What Is a DSAR? A Plain-English Guide for UK Employers
Published 7 April 2026 · Last reviewed 15 March 2026
A DSAR — data subject access request — is a formal request from someone asking you to hand over all the personal data you hold about them. Under UK GDPR Article 15, every individual has this right, and every UK employer must comply. You have one calendar month to respond.
If you have never dealt with one before, this guide covers how to recognise a DSAR, what to do when one arrives, and where employers typically go wrong.
This guide covers DSARs in the UK employment context under UK GDPR and the Data Protection Act 2018. It is not legal advice.
How to recognise a DSAR
A DSAR does not need to use the words "subject access request," "DSAR," or "Article 15." Any request for personal data counts, regardless of format:
- An email saying "I want copies of all data you hold about me"
- A letter from a solicitor requesting "disclosure of our client's personal information"
- A verbal request to a line manager: "Can I see my HR file?"
- A message on Teams or Slack asking for "my records"
The ICO's employer Q&A confirms that the request does not need to be in writing, does not need to mention GDPR, and does not need to go through a specific person or form. If any member of staff receives something that looks like a data request, it is a DSAR — and the clock starts immediately.
Why this matters: The one-month deadline begins when any employee in your organisation receives the request — not when HR formally logs it. A request sitting in a line manager's inbox for two weeks before being forwarded to HR still has a deadline based on the original receipt date.
What to do in the first 24 hours
1. Log the receipt date. This is the most important single step. The deadline is calculated from this date. Use the SAR deadline calculator to work out the exact deadline including weekends and bank holidays.
2. Decide if you need identity verification. Can you confirm who the requester is from existing records? If it is a current employee emailing from their work account, their identity is already established. If it is an ex-employee or a solicitor acting on someone's behalf, you may need to request proof of identity. Under the DUAA 2025, section 76, the clock pauses until identity is verified.
3. Send an acknowledgement. Not legally required, but strongly recommended. Confirm you have received the request, state the deadline, and note whether you need any further information. See Free Subject Access Request Templates for the acknowledgement letter template.
4. Identify the search scope. Which systems hold this person's data? HR records, email, payroll, performance management, disciplinary files, CCTV, IT access logs. The DUAA 2025, section 78 requires a "reasonable and proportionate search" — you must search proportionately to the data you are likely to hold, not just the easiest places to look.
What you must provide
Your response must include:
- A copy of all personal data you hold about the requester
- The purposes of your processing (why you hold each category of data)
- The recipients you have shared their data with
- The retention period (how long you will keep each category)
- Their rights — to rectification, erasure, restriction, and complaint to the ICO
The response is free of charge. You cannot charge a fee unless the request is vexatious or excessive (a high threshold — see Can You Charge for a Subject Access Request? for the rules).
What you can withhold
The DPA 2018 Schedule 2, Part 4 provides exemptions:
- Legal privilege — solicitor advice on the requester's case
- Management forecasts — restructuring plans that would be prejudiced by disclosure
- Negotiations — settlement strategy and walk-away figures
- Confidential references — references you gave in confidence
Each exemption applies to specific documents, not broad categories. Use the SAR exemption checker for a guided walkthrough of which exemptions apply. For detailed guidance, see SAR Exemptions Explained.
Where employers go wrong
Treating DSARs as optional. They are a legal obligation. Ignoring a DSAR exposes you to an ICO complaint, enforcement action, and — if the requester is in a tribunal dispute — adverse inferences about what you might be hiding.
Searching too narrowly. Only checking the personnel file and missing emails, chat messages, and manager correspondence about the employee. The ICO will ask what systems you searched and why.
Missing the deadline. One calendar month sounds generous until you realise the data is spread across six systems and requires redaction of third-party information. Log the receipt date immediately and track the deadline from day one.
Not documenting the process. If the ICO investigates, they want to see your audit trail — when you received the request, what you searched, which exemptions you applied and why, and when you sent the response.
For the complete step-by-step process, see How to Respond to a Subject Access Request from an Employee.
Frequently asked questions
What does DSAR stand for? Data Subject Access Request. It is the same thing as a Subject Access Request (SAR) — the terms are interchangeable. "DSAR" emphasises the data protection angle; "SAR" is the shorter form used by the ICO.
Can a DSAR be made verbally? Yes. There is no required format. A verbal request to a line manager counts as a valid DSAR, and the one-month deadline starts from that moment. This is why training staff to recognise DSARs is important.
Do I have to respond if the DSAR is made during a tribunal claim? Yes. The requester's motivation does not affect your obligation to respond. SARs during tribunal proceedings are common — and courts may draw adverse inferences if you fail to respond properly.
What is the deadline for a DSAR? One calendar month from the date of receipt. Extensions of up to two months are available for genuinely complex requests, but you must notify the requester within the first month. See Subject Access Request Time Limit UK for the full rules.
Sources
- UK GDPR — Article 15 (right of access)
- ICO — Subject access request Q&As for employers
- ICO — Right of access (subject access) guidance
- Data (Use and Access) Act 2025 — Section 76 (time limits)
- Data (Use and Access) Act 2025 — Section 78 (reasonable and proportionate search)
- Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)
Handle your next SAR step by step
dsartracker guides UK employers through every stage of a subject access request — deadlines, exemptions, redaction, and the audit trail the ICO expects.
Related guides
Subject Access Request Policy Template: How to Create Your Internal SAR Process
How to create an internal SAR policy for UK employers — who handles requests, response steps, escalation rules, and a practical template to adapt.
Subject Access Request Response Letter: How to Write It Step by Step
How to write a SAR response letter step by step — what to include, how to structure it, and sample formats for straightforward and complex employer responses.
Employee Subject Access Request Template: What UK Employers Must Include
What to include when responding to an employee subject access request — data categories, search scope, exemptions, and a practical response template for UK employers.