Written by Nicola Gater | 24th March 2026
If you’ve ever received a formal request from an employee asking to see all the data you hold on them, you’ve encountered a Data Subject Access Request, also known as a DSAR. They’re more common than many employers expect, and when one lands on your desk, the clock starts ticking.
In this blog, we cover the DSAR essentials: what a Data Subject Access Request actually is, who can make one, what falls within scope, and what you must and must not do in response. Whether you’re dealing with your first DSAR, still getting to grips with what they involve, or simply want to deepen your understanding, this will give you the grounding you need.
Already familiar with DSARs and looking for practical guidance? Our blog How to Respond to a Data Subject Access Request (DSAR) may be useful. If you have any questions, please contact the team by email: info@realityhr.co.uk or phone: 01256 328428 and we’ll be happy to help.
What is a DSAR?
DSAR stands for Data Subject Access Request and it is a formal right, under UK GDPR (specifically Article 15) and the Data Protection Act 2018, that allows any individual to obtain a copy of the personal data an organisation holds about them, along with information about how it is being processed. In most cases, employers have one calendar month to respond to a DSAR.
This is one of the most operationally significant data protection rights businesses will encounter. Unlike a general compliance question, a DSAR demands action, and the clock starts ticking the moment the request is received.
Why does awareness of DSARs within your organisation matter? Because a DSAR can arrive via any channel, to any employee. If your managers and HR staff don’t know how to recognise one, it’s easy for a valid request to be missed, delayed, or mishandled – all of which can have costly consequences.
Who can submit a DSAR?
The right applies to anyone about whom you hold personal data. For businesses, that includes:
- Current employees
- Former employees (regardless of how long ago they left)
- Job applicants, even if they were unsuccessful
- Other groups including workers, contractors, clients, and suppliers
One thing that tends to catch employers out is that a request does not need to use the words “DSAR”, “GDPR”, or “data protection”. For example, if someone emails HR asking, “what information do you hold about me?” or a job applicant asks for “a copy of [their] interview notes”, those are valid DSARs that must be responded to within the statutory timeframe of a month. Informal wording does not reduce your obligation.
What data is in scope?
The scope of a DSAR is deliberately wide. You are required to search for all personal data, which is any information that identifies the individual, across all the systems and formats in which it might be held. In practice, for an employer, this is likely to include:
- HR records – contracts, personal details, absence records, appraisals
- Payroll and pension information
- Performance reviews and disciplinary notes
- Emails in which the individual is mentioned or discussed
- CCTV footage featuring the individual
- Door access records
- Handwritten notes – yes, even those written on paper
- Instant messaging platforms and social media messages sent or received via work accounts
A note on social media: This is an area where many employers, and employees, are caught out. Messages sent via LinkedIn, Instagram, X (previously Twitter), or any other platform using a work account or on behalf of the organisation can be requested. If your team uses social media as part of their role, it’s worth reviewing what data you hold in messages and records and ensuring they are included in your data mapping.
Why do employees make DSARs?
In practice, DSARs tend to be triggered by a specific concern or event. For businesses, there are three situations that most commonly trigger a request:
- Disciplinary action or dismissal
When an employee is facing disciplinary proceedings, or has recently been dismissed, they may submit a DSAR to understand what information was used in the process, or to look for evidence of unfair treatment. This is a legitimate use of their rights, and you must respond accordingly, regardless of the ongoing or recent process.
- Grievances
Employees who have raised a grievance – particularly one involving a colleague’s behaviour or comments – may submit a DSAR to obtain copies of emails or notes that could support their case. Internal communications that seemed unremarkable at the time can look very different when disclosed in this context.
You can read more about grievances and how to avoid them in our blog “Preventing grievances – building a culture of early resolution”.
- Being unsuccessful in job applications or promotions
Applicants or employees who feel they have been overlooked during recruitment or for progression may request their data to understand what assessments, notes, or internal communications influenced the decision. Informal comments made in emails or meeting notes can carry significant weight if disclosed.
The key takeaway for employers: Every manager and HR professional must understand and communicate to their team that what is written in emails, notes, and messages is potentially disclosable. A culture of professionalism and careful communication is not just good practice – it’s a data protection safeguard.
What are the risks of getting it wrong?
Failing to respond to a DSAR correctly, whether through delay, omission, or refusal without valid grounds, can have serious consequences. The individual could report your failure to the Information Commissioner’s Office (ICO), which has powers to investigate and require compliance. The ICO can issue formal notices requiring you to take specific action and can impose significant fines for serious breaches. Enforcement action, or simply the disclosure of poorly handled internal communications, can cause lasting damage to your business’ reputation, employer brand, and employee trust.
⚠️What not to do
Deleting, altering, or destroying data after a DSAR has been received is a serious breach of UK GDPR, and it is treated as such by the ICO.
Once you become aware that a DSAR has been made, a legal preservation obligation applies. Any deletion of relevant data – even routine archiving or mailbox purging that would normally happen automatically – should be paused for data relating to the individual who made the request. The ICO views deliberate data deletion post-request as evidence of an attempt to obstruct the individual’s rights, and it significantly worsens the regulatory position of the organisation.
Make sure your IT team and those handling the response understand this obligation clearly. “We didn’t know” is not a defence when the obligation is well established in law.
Exemptions: When can you refuse or redact?
UK GDPR does not require you to disclose everything. The main exemptions relevant to employers are:
- Third-party rights: Redact any information that would identify another individual – you don’t need to withhold the whole document
- Legal professional privilege: Communications with legal advisers in connection with legal proceedings or anticipated claims are exempt
- Confidential references: References given or received in confidence are exempt – though not the individual’s broader employment data
- Management planning: Information about an unannounced restructure or redundancy can be withheld if disclosure would prejudice the plan
- Crime prevention and taxation: Exemptions apply where disclosure would prejudice the prevention of crime or collection of taxes
- Manifestly unfounded or excessive requests: Where a request appears designed to harass rather than exercise a genuine right, you may be able to charge a fee or refuse, but this is a high bar so document your reasoning and refer to ICO guidance
If you refuse in whole or in part, notify the individual within one month and inform them of their right to complain to the ICO.
An example of a good DSAR process
Getting DSARs right doesn’t require a large compliance team, but it does require preparation. Here is a high-level summary of what good looks like:
- Recognise and record promptly: Train your managers and HR team to recognise a DSAR, whether it’s verbal, email, written, or via social media, and record the date it was received the moment it arrives
- Search thoroughly and systematically: Know where your data lives. A good DSAR response requires searching all relevant systems: HR software, email, shared drives, CCTV, social media, and paper records
- Redact appropriately and apply exemptions with care: Release what you must, withhold only what you legitimately can, and document your decisions at every step
- Respond within the deadline: One month from receipt, with a possible two-month extension for complex requests (you must communicate any extension within the first month and state your reasons)
For a detailed, step-by-step guide to managing the DSAR response process including what to put in your written policy, how to handle redactions, and how to structure your response, read our blog: “How to Respond to a Data Subject Access Request (DSAR)”.
How Reality HR can help
DSARs are one of those areas where the gap between thinking you’re compliant and actually being prepared can be significant, and the consequences of getting it wrong are real. Whether you’re building your DSAR process from scratch, reviewing existing policies, or dealing with a live request right now, our team is here to help.
We work with employers across a wide range of sectors to put practical, proportionate HR and data protection processes in place that protect the business and treat employees fairly.
Get in touch with our team by emailing: info@realityhr.co.uk or calling: 01256 328428 – we’re happy to help.
About the author: Nicola Gater, Head of Product and Process
Nicola has vast experience in a broad range of sectors and expertise in the employment implications of mergers and acquisitions, including the challenges of TUPE regulations. Nicola also works on diversity and inclusion projects, company culture exercises, rewards and performance management programmes, and day-to-day HR.