Managing Data Subject Access Requests

Learn how to respond to your employees’ right to access their personal data.

People have the right to access their own personal data – this is to say any information from which they can be identified. In an employment context, this could include any document in which (for example) their name, initials, nickname, job title, payroll number, NI number is mentioned – the list is extensive.

Any employee has a right to ask their employer to send them copies of their personal data, by making what is called a “data subject access request” (DSAR). Businesses that process a lot of personal data tend to find this concept completely overwhelming.

While the General Data Protection Regulations 2016 and the Data Protection Act 2018 aim to increase transparency and the rights of data subjects, the legislation also acknowledges the monumental burden that a DSAR can sometimes create for a business.

In its most recent guidance (published on 22 October 2020) the Information Commissioners Office has recognised the potential for the DSAR to become weaponised by disgruntled employees. To level the playing field, it has for example reintroduced the ability for employers to “stop the clock” on the period for responding while clarification on the scope of the request is sought.

Although businesses can take some steps to gain more time, they are still required to respond “without undue delay”. They must also follow some important procedural requirements about how the response it made, and the additional information which must come with it. In some circumstances, it may be appropriate not to respond at all, depending on your appetite for legal and reputational risk.

This module will help you understand how these rules apply in the context of your own organisation, so you can develop an appropriate process.


About the course
Course content

  • the right of access
  • initial acknowledgement
  • requests for clarification
  • responding “without undue delay”
  • format of the response
  • deciding not to respond

Duration of course

half a day

Delivery options

webinar or face-to-face lecture-style

Learning outcomes

At the end of the module, you will understand what a DSAR is and what constitutes personal data. You should feel confident of the steps that need to be taken promptly on receipt of a DSAR and the relevant time limits for responding. Strategies for gathering and sharing data will be covered in detail, as will the legal requirements of the response. You will understand when it might be appropriate to not respond to a DSAR, and the potential legal and reputational implications of doing so.