Back to Glossary

Data subject access request (DSAR) Last modified: February 2, 2026

impact hr ident
Data subject access request (DSAR)

SECTION GUIDE

What is a data subject access request (DSAR)?

A data subject access request is a legal right that allows an individual to ask an organisation whether it holds personal data about them and to receive a copy of that information. In the workplace, a data subject access request is often more than a simple data query — it is frequently a sign that an individual wants clarity, transparency or reassurance about how decisions have been made.

A data subject access request can be made verbally or in writing and does not need to mention data protection law to be valid. Once received, employers are required to respond without undue delay and within statutory timeframes, handling the request in line with UK data protection legislation.

  • What does a data subject access request mean in HR / Health & Safety?

    In HR and Health & Safety, a data subject access request usually arises during sensitive or high-risk employment situations. Employees or former employees often submit a data subject access request to understand what information has been recorded, shared or relied upon in relation to them.

    In an employment context, a data subject access request may cover personal data such as:

    • Personnel and HR files
    • Emails, Teams messages and internal correspondence
    • Absence records, return-to-work notes and workplace adjustments
    • Disciplinary, grievance and investigation documents
    • Performance reviews and management notes
    • CCTV footage or building access records
    • Occupational health referrals and reports (where applicable)

    Under the UK GDPR and Data Protection Act 2018, employers must respond to a data subject access request within one calendar month of receipt. Many compliance issues arise because organisations fail to recognise a request, misunderstand its scope, or do not coordinate effectively between HR, IT and management teams.

  • Why does a data subject access request matter for your business?

    A data subject access request places your organisation’s data handling, record-keeping and decision-making directly under scrutiny. How you respond can have a significant impact on legal risk, employee relations and organisational credibility.

    If a data subject access request is mishandled, potential consequences include:

    • Complaints to the Information Commissioner’s Office (ICO)
    • Regulatory enforcement action or financial penalties
    • Damage to trust and workplace relationships
    • Disclosure of inappropriate or informal internal commentary
    • Reduced credibility in employment tribunal proceedings

    For many SMEs, a data subject access request exposes weaknesses such as inconsistent records, fragmented systems or unclear ownership. When handled correctly, however, it demonstrates strong governance, professionalism and confidence in your HR processes.

  • Data subject access request – best practice for employers

    Effective management of a data subject access request depends far more on preparation than speed. Employers that handle data subject access requests well usually have clear structures in place long before a request is received.

    Best practice includes:

    • A clear, documented data subject access request policy and process
    • Defined ownership between HR, senior leadership and IT
    • Manager training on professional record-keeping and language
    • Centralised and searchable HR and people data systems
    • A formal log to track data subject access requests and deadlines
    • Consistent and lawful redaction practices
    • A clear audit trail explaining how decisions were reached

    For growing businesses, data subject access requests often arise alongside wider people issues. Having access to experienced HR support helps ensure responses are proportionate, compliant and aligned with your broader employee relations strategy.

  • Common data subject access request mistakes employers make

    Most problems with data subject access requests are unintentional and stem from misunderstanding how technical and time-sensitive the process is.

    Common data subject access request mistakes include:

    • Failing to recognise that a data subject access request has been made
    • Asking the individual to complete a form before starting the response clock
    • Missing emails, messages or archived data
    • Over-disclosing third-party or confidential information
    • Redacting information inconsistently or without justification
    • Allowing managers to respond independently or informally
    • Missing statutory deadlines

    These mistakes can quickly escalate a data subject access request into a regulatory or legal issue. A structured, centrally managed approach significantly reduces risk.

  • How data subject access requests link to grievances, disciplinaries and tribunals

    In many cases, a data subject access request is not an isolated event but part of a wider employment dispute.

    Data subject access requests frequently arise:

    • Before or during grievance processes
    • During disciplinary investigations
    • In redundancy, capability or performance disputes
    • As preparation for an employment tribunal claim

    Because information disclosed in response to a data subject access request may later be relied upon as evidence, inconsistencies or poorly worded records can weaken an employer’s position. This is why handling a data subject access request should never be treated as a purely administrative task.

Your Questions Answered

Everything you need to know about data subject access requests

  • What is the legal deadline for responding to a data subject access request?Reveal

    Employers must respond to a data subject access request within one calendar month of receipt. In complex cases, this can be extended by up to two additional months, provided the individual is informed.

  • Can an employee use a data subject access request to obtain emails and notes?Reveal

    Yes. A data subject access request can cover emails, messages and management notes where the individual can be identified.

  • Can an employer refuse a data subject access request?Reveal

    Only in limited circumstances, such as where a data subject access request is manifestly unfounded or excessive. Refusal should be approached cautiously and supported by clear justification.

  • Does a data subject access request require disclosure of everything held?Reveal

    No. Employers can lawfully redact third-party data, legally privileged material and certain confidential information, where appropriate.

  • Who should manage data subject access requests in a business?Reveal

    Overall responsibility sits with the employer. In practice, HR usually leads the data subject access request process, supported by senior leadership, IT and specialist advisers where required.

  • When will the Employment Rights Bill come into force?Reveal

    The Bill is expected to roll out in stages from 2024–2025, with different reforms introduced gradually to give businesses time to adapt.

  • Who can help me stay legally compliant with employment law?Reveal

    Specialist HR consultancies such as impact HR provide expert advice, templates, training, and ongoing support, helping SMEs remain legally compliant while focusing on growth.

  • Do I need external support to be compliant with employment law?Reveal

    Employment law is complex and changes regularly. External HR support helps businesses avoid mistakes, reduce risk, and stay compliant.

  • What happens if my business fails to comply with employment law?Reveal

    You may face tribunal claims, fines, reputational damage, and difficulty hiring or retaining staff.

  • How does GDPR affect HR?Reveal

    Employers must handle employee data lawfully, securely, and transparently, in line with the Data Protection Act 2018 and UK GDPR.

  • Do employers have to offer a pension?Reveal

    Yes. The Pensions Act 2008 makes automatic enrolment mandatory for eligible employees.

  • What is changing under the Employment Rights Bill?Reveal

    Employees will gain day-one rights for sick pay, parental leave, and unfair dismissal protection. Flexible working and zero-hours protections will also be strengthened.

  • What is the minimum paid holiday entitlement in the UK?Reveal

    5.6 weeks (28 days for a full-time employee), which can include bank holidays.

  • How many hours can an employee work?Reveal

    The Working Time Regulations 1998 set a limit of 48 hours on average per week (unless the employee opts out).

  • What are the nine protected characteristics under the Equality Act 2010?Reveal

    Age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation.

  • Can I dismiss an employee without a process?Reveal

    No. Employers must follow a fair process and have a valid reason, otherwise they risk unfair dismissal claims.

  • What is the main employment law in the UK?Reveal

    The Employment Rights Act 1996 covers the majority of employee rights, including contracts, dismissal, redundancy, and parental leave.

Where to find out more A collection of hand-picked useful resources for data subject access requests from impact HR and beyond

Make an enquiry

Let’s talk

Start making your impact.

Whether you need day-to-day HR support, ad-hoc support or a long-term partner, we’re here to help.

Get in touch for a free initial chat — no pressure, just practical advice from people who get it.

0330 2369866
hello@impacthr.co.uk

Leicester: 6 St. Georges Way, 3rd Floor, St. George’s House, Leicester LE1 1QZ
London: 167 City Road, London EC1V 1AW
Leeds: Building 3, City West Business Park, Gelderd Rd, Holbeck, Leeds LS12 6LN
Essex: Halford House, 2 Coval Lane, Chelmsford, England, CM1 1TD

You may also like Explore more content to keep you informed and up to date with the latest HR resources

  • article  /  14th Apr 2026

    Fair Work Agency UK: Employer Guide for SMEs (2026 update)

    View article

  • recorded webinar

    The Employment Rights Act: are your HR systems and processes ready?

    View webinar

  • news  /  10th Mar 2026

    impact HR named finalist at the British HR Awards 2026

    View news

  • recorded webinar

    The Employment Rights Act – where are we now?

    View webinar

  • article  /  3rd Feb 2026

    The hidden cost of being reasonable

    View article

  • article  /  30th Dec 2025

    2026 workplace trends: 6 HR priorities every organisation must prepare for

    View article

  • recorded webinar

    The Employment Rights Bill 2025: What every SME needs to know

    View webinar

  • legal update  /  21st Oct 2025

    Holiday pay records under the Employment Rights Bill

    View legal update