Data Subject Access Requests (DSARs): How to Handle Them Effectively and Stay Compliant in 2026​

Data Subject Access Requests (DSARs) are one of the most common challenges for organisations under UK GDPR and the Data Protection Act 2018. They sound simple, give people access to their data, but in practice, they can be complex, time-consuming, and high-risk if mishandled.

This guide combines practical advice, recent UK updates, and insights from real-world cases to help you manage DSARs efficiently while protecting your organisation.

Why DSARs Are Often Broad (and Why That Matters)

Lots of requests, by nature, are broad when submitted and unfortunately often request all of the information that an organisation holds on the requestor. It is the job of the Data Protection team to determine and confirm that the individual is who they say they are, but also that the request is genuine and the searches are proportionate to what they actually want to access.

Generally, requests are submitted for a specific purpose, resulting from an occurrence. If this is an external request (tenant, patient, customer), they will often submit a request due to dissatisfaction with how you’ve handled their information or dissatisfaction with the service they’ve received, often seeking a settlement. These can often be considered weaponised requests.

Conversely, if they are an employee, it may be that the request relates to a dismissal, grievance, or something specific. Clarifying any complexities for the request is crucial to get the best outcomes for the data subject but also to alleviate the burden on your organisation.

It’s Not Just About Knowing UK GDPR

Being able to handle SARs effectively isn’t just how well you understand Data Subject Rights, the GDPR and exemptions, it is also your knowledge of assistive tools and technologies and your ability to leverage these to the best of their potential.

In particular, when considering search criteria, the importance of this is paramount. A well-defined search strategy can save hours of unnecessary work and reduce risk.

What’s New in 2026: DUAA Safeguards and ICO Guidance

The Data Use and Access Act (DUAA) has added some safeguards for businesses, and the ICO’s updated guidance (Dec 2025) clarifies two key points:

• Stop the clock: You can pause the one-month deadline while verifying identity, seeking clarification, or awaiting a permitted fee. This is now formally recognised.
• Reasonable and proportionate search: You’re expected to search where data is likely to be, not everywhere imaginable. This principle is reinforced by case law (Ashley v HMRC, 2025).

Timelines and Extensions

• One calendar month from receipt of the SAR (same date next month).
• Extensions: Up to two months for complex or multiple requests: but you must notify within the first month.
• Pausing the clock: Allowed for ID checks, clarification, or fee collection.

Why SARs Are High-Risk for Organisations

SAR complaints remain the top driver of ICO grievances, with a 13.5% rise in 2024. In August 2024, the ICO reprimanded the Labour Party for severe SAR backlogs: 78% of 352 outstanding SARs were overdue, with over half delayed by more than a year. This shows why robust processes matter.

Practical Steps: Assess → Align → Assure

Assess

• Log and acknowledge the request immediately.
• Verify identity and clarify scope early.

Align

• Plan a reasonable, proportionate search.
• Use tools to automate collection and redaction where possible.

Assure

• Apply exemptions narrowly.
• Deliver securely and include required supplementary information.

Common Pitfalls and How to Avoid Them

• Broad requests: Don’t assume you need to provide “everything.” Clarify scope and document your reasoning.
• Ignoring context: Understand why the request was made—this often signals what data they actually want.
• Failing to document: Keep an audit trail of decisions, pauses, and communications.

Handling Requests Submitted on Behalf of Someone Else

It’s increasingly common for SARs to be submitted by a third party, such as a solicitor, family member, or legal guardian; acting on behalf of the data subject. These are valid under UK GDPR, but they require extra diligence.

1) Verify authority and identity

• Obtain a signed letter of authority from the data subject (or an appropriate legal instrument, e.g., power of attorney or court order).
• Verify the identities of both the data subject and the representative.
• Record what you relied on and when you received it (for audit and to set/adjust the deadline).

2) Confirm scope and consent

• Ensure the request clearly states what data is sought and that the data subject understands and consents to disclosure to the representative.
• If unclear, seek clarification and note the clock‑stop until you receive it.

3) Apply standard timelines

• The one‑month deadline applies once you have sufficient authority and ID to proceed.

4) Deliver securely

• Provide the response to the authorised representative via an encrypted channel or secure portal.
• Keep a full audit trail of verification, decisions, and delivery steps.

When to refuse a third‑party SAR

You may refuse (or limit) a third‑party SAR where:

• Authority cannot be verified (no valid LoA, PoA, or mandate).
• Identity checks fail for either the subject or the representative.
• The request is manifestly unfounded or excessive (e.g., abusive, clearly disproportionate, or repetitive), in which case you can also consider charging a reasonable fee.
• Disclosure would infringe third‑party rights or involve privileged material, and redaction or partial disclosure cannot reasonably resolve the risk.

When refusing, explain your reasons, set out any alternatives (e.g., provide non‑content information or invite a narrower scope), and advise of the right to complain to the ICO.

Once all of the above have been satisfying:

• High-volume or multi-system searches.
• Requests involving sensitive third-party data or legal privilege.
• Repeat or weaponised requests where proportionality and defensibility matter.

Final Thought and DPO comment

SARs aren’t just a compliance checkbox, they’re a reputational risk and a resource drain if handled poorly. With clear scoping, smart use of technology, and documented decisions, you can meet legal obligations without overwhelming your team.

As a Data Protection Officer (DPO) in 2026, efficient management of Data Subject Access Requests (DSARs) hinges on leveraging new flexibilities provided by the Data (Use and Access) Act 2025 while maintaining strict transparency.

• Utilise “Stop the Clock” Powers: You can now officially pause the one-month response deadline by seeking clarification if it is reasonably required to fulfil the request effectively.
• Apply Proportionality: Conduct “reasonable and proportionate” searches; you are no longer required to check every single file if doing so would be disproportionate to the importance of the data subject’s right, especially when dealing with massive datasets.
• Broad Request: Work with the Data Subject to proactively refine the scope
• Implement “Meaningful” Automated Triage: Use AI or e-discovery tools to filter out non-personal or duplicate data, but ensure human review for complex redactions and the final response to prevent accidental data breaches.
• Maintain an Audit Trail: Document every decision, keyword used, and reason for applying exemptions to provide a defensible rationale if the individual exercises their right to complain directly to you or the ICO. Keep a log of all search terms and system log so you can demonstrate a full audit trail from search terms and the extract through to final release.

FAQ: Subject Access Requests (SAR Support)

1. What is a Subject Access Request (SAR)?

A SAR is a formal request under UK GDPR that allows individuals to access their personal data held by an organisation. It includes details on how their data is processed, shared, and stored.

2. How long do I have to respond to a SAR?

You must respond within one calendar month of receiving the request. Extensions of up to two months are allowed for complex or multiple requests, but you must notify the requester within the first month.

3. Can I pause the SAR deadline?

Yes. Under ICO guidance and DUAA safeguards, you can stop the clock while verifying identity, seeking clarification, or awaiting a permitted fee.

4. What makes a SAR “complex”?

The following are examples of factors that may, in some situations, add to the complexity of a request:

• Experiencing technical difficulties with retrieving the information (eg if information is electronically archived).
• Applying an exemption that involves large volumes of particularly sensitive information.
• Clarifying potential issues around disclosing information about a child to a legal guardian.
• Requiring specialist work to obtain the information or communicate it in an intelligible form.
• Clarifying potential confidentiality issues around disclosing sensitive medical information to an authorised third party.
• Needing to obtain specialist legal advice (however, if you routinely obtain legal advice, it’s unlikely to be complex).
• Searching large volumes of unstructured manual records, only applicable to public authorities.

You must be able to show why a request is complex in the particular circumstances.

5. When should I outsource SAR handling?

Outsourcing SARs is ideal when:

• Requests are infrequent but resource-intensive.
• Internal teams are conflicted or named in the SAR.
• You face high-volume or weaponised requests.

6. When can we refuse a third‑party SAR?
If authority/identity can’t be verified, the request is manifestly unfounded or excessive, or disclosure would compromise third‑party rights or privilege. Explain your reasons and signpost the right to complain to the ICO.

Explore our SAR Support Services for expert help.