How affected is your sector by DSARs? Trends, volumes, and what to do in 2026

If your organisation has seen a spike in Subject Access Requests (DSARs), you’re not alone. In 2024 the UK ICO completed 36,049 data protection complaints, with DSAR issues remaining the most common reason people contact the regulator part of a multi‑year trend that shows no sign of slowing. 

Zooming in, complaints specifically about DSAR handling rose ~13.5% year‑on‑year, with notable concentrations in financial services (14% of DSAR‑related complaints), general business (9%), and online tech/telecoms (7%). For employers and regulated firms, this is more than an admin burden, it’s an exposure point for cost, risk, and reputation. 

At the same time, the UK has updated the legal landscape. The Data (Use and Access) Act 2025 (DUAA) codifies two practical lifelines: “reasonable and proportionate” search and the ability to “stop the clock” while you seek clarification on a request, changes the ICO has already reflected in its guidance on the right of access. 

At GRC Hub, we are regularly asked by clients the question “are you seeing an increase” and “why do you think SARs are increasing”

In this article, we’ll unpack the sectors most affected by DSARs, explain the regulatory shifts behind the trends, and share a practical blueprint to reduce DSAR effort while strengthening defensibility.

By sector: who’s most affected and why

1) Financial services

The ICO singled out the finance sector in 2024, noting a 15% rise in DSAR‑related complaints and urging firms to strengthen accountability, staff training, and performance monitoring around right‑of‑access processes. That message echoed the EDPB’s focus on coordinated enforcement, signalling a tougher environment across Europe too. 

Finance also features heavily in DSAR complaint shares (14% of cases in one analysis), reflecting high data volumes and heightened regulatory scrutiny. For firms grappling with complex records (communications archives, call audio, CRM histories, third‑party processors), the DUAA’s “reasonable and proportionate” standard is welcome, but only if you can evidence it. 

What good looks like (finance):

• A playbook for clarification to narrow scope fast (“stop the clock” used correctly and logged). 
• A search strategy that prioritises high‑yield repositories (email, Teams, line‑of‑business systems) with search queries saved and auditable.
• A QA‑driven redaction process with defensible decisions on privilege, third‑party data, and internal candid communications.

2) Social housing and local government

While the Housing Ombudsman’s data focuses on resident service complaints, not DSARs per se, the trajectory is telling: determinations up ~30% year‑on‑year with 71% upheld, in a system facing acute operational pressures. This environment creates a perfect storm for DSAR volumes and complexity across housing providers. In particular, GRC Hub housing clients report a significant rise in DSARs, often relating to housing disrepair claims and tenant requests regarding comments made my neighbours. 

Public bodies also face resource constraints, and the ICO has escalated where backlogs build, reinforcing that under‑resourced DSAR handling is a compliance risk in its own right. 

What good looks like (housing/public):

• Plain‑English DSAR guidance for residents and staff (to reduce scatter‑gun requests).
• Retention and storage hygiene to lower search footprints, e.g., discouraging informal WhatsApp groups for casework.
• Playbooks for mixed third‑party data and safeguarding content, with proportionate redactions and clear audit trails.

3) Healthcare

Healthcare operates under extreme data sensitivity (clinical notes, call/audio, imaging) and rising demand. While national accounts and annual reports don’t isolate DSAR counts, sector commentary and government statistics show higher workload pressures and digital adoption, both factors that inflate the complexity of DSAR responses (voice, images, embedded PHI). 

What good looks like (healthcare):

• Triage‑first to define clinical vs. administrative data scope; clarify identifiers up front (“stop the clock” properly recorded). 
• Data discovery guardrails for large image/audio sets; ensure clinical exemptions and third‑party confidentiality are applied consistently.

4) Technology, online platforms, and telecoms

Online technology and telecoms were cited in ~7% of DSAR complaint cases in one cut of the data, reflecting the sheer breadth of personal data platform companies hold (cookies, tracking, behavioural data, identifiers across devices). EDPB activity also underscores cross‑border enforcement momentum. 

What good looks like (tech/telco):

• Data maps linking user IDs across services; credible cookie and tracking governance; standardised DSAR packs for common patterns.
• Automated deduplication & format conversion to speed review without missing risk signals.

The law has shifted: DUAA and the “reasonable & proportionate” era

Two DUAA changes matter most to busy DSAR teams:

1. You can “stop the clock” when you need clarification, properly used, this protects timelines and reduces unnecessary processing. The ICO’s Right of Access guidance now reflects this. 
2. Searches must be “reasonable and proportionate”, this is now explicitly recognised in UK law; documenting why you limited certain systems or date ranges is vital for defensibility.

Together, these changes reward organisations that govern the DSAR process as a real business workflow, not a one‑off scramble.

A practical blueprint to lower DSAR cost and risk

1) Governance & playbooks (Phase 1 in our model)

• Update your DSAR policy and SOPs to embed “stop the clock” and proportionality tests, with examples staff can follow.
• Define roles & RACI: who triages, who approves scope, who engages the requester, who signs off risk decisions.

2) Data discovery with auditability

• Standardise search strategies (saved queries, agreed filters, date ranges).
• Keep search evidence logs for each DSAR so you can demonstrate why the scope was reasonable and proportionate.
• Use advanced tools to ingest, deduplicate, and convert to review‑ready formats (MSG → PDF, video transcripts, etc.).

3) Redaction at scale

• Drive automation‑first BAU filtering to strip out non‑personal/irrelevant at the start, then manual review for edge cases and context.
• Maintain a Redaction Log with exemption rationales (third‑party data, privilege, industrial relations).
• Apply two‑stage QA on high‑risk matters (board, litigation, safeguarding).

4) Reporting and learning

• Track time per task, page counts, and common pitfalls to refine playbooks.
• Monitor trend analytics (roles/departments causing high volumes; data sources adding overhead).
• Use monthly DSAR dashboards to brief the DPO, Legal, HR, and leadership.

Sector snapshots: signals to watch in 2026

• Finance: Continued regulatory attention on DSAR performance and accountability; expect board‑level KPIs around response times, clarification rates, and outcomes.
• Housing/public sector: Complaint volumes remain high and scrutiny is increasing, under‑resourced DSAR teams risk enforcement where backlogs persist.
• Tech/telecoms: Cross‑border cases and EDPB coordination are increasing; standardisation of DSAR packs and cookie‑tracking governance will be critical.
• All sectors: DUAA reduces ambiguity but raises the bar on documentation, if you can’t show why your searches were reasonable and proportionate, you haven’t really complied.

Humanising DSARs: why tone, clarity and empathy matter

DSARs often surface during stressful moments, grievances, disputes, or after a breach. The most resilient organisations treat requesters with clarity and empathy: plain‑English explanations, structured timelines, and transparent decisions (what was withheld and why). This reduces escalation and protects brand trust, especially in housing and healthcare, where lived experience and vulnerability are front‑and‑centre. 

What next: a low‑friction way to raise your DSAR game

If you’re facing DSAR volume or complexity, consider a two‑phase approach:

• Phase 1 – Governance & Readiness: mapping, DUAA‑aligned SOPs, proportionality framework, system architecture, training.
• Phase 2 – On‑demand delivery: advisory triage, search & ingestion, review & redaction with clear metrics and board‑ready outputs.

This approach aligns to both regulatory expectations and operational reality, reducing cost waste while making outcomes defensible and repeatable. (If you’d like our detailed approach, see the GRC Hub DSAR service page and request the playbooks.)

→ Explore GRC Hub’s DSAR service, where we constantly deliver solutions like this to all the sectors listed above.

Frequently asked questions (SEO)

What counts as a “reasonable and proportionate” DSAR search?
UK law now recognises that you only need to perform reasonable and proportionate searches; you can also pause the clock while seeking clarification. The ICO’s updated Right of Access guidance and the DUAA factsheets provide the baseline, your job is to evidence how you applied them. 

Has the ICO really seen DSARs rise?
Yes. DSARs continue to top complaint categories, with 36,049 data protection complaints completed in 2024, and a ~13.5% rise in DSAR‑related complaints reported year‑on‑year in one analysis.

Which UK sectors are most exposed?
Finance has seen a 15% increase in DSAR‑related complaints, with finance, general business, and online tech/telecoms among the most cited categories. Housing/public sector also see high complaint environments, increasing DSAR complexity. 

How do we avoid backlogs?
Resource appropriately, use clarification playbooks to narrow scope, standardise Purview queries, and track throughput with dashboards. The ICO has escalated where backlogs persisted in public bodies, so early, visible governance matters.

Final thought

Whether you’re a bank, a housing provider, a trust, or a tech platform, the direction of travel is clear: DSARs are here in higher volume and complexity. The winners are building automation‑first workflows backed by human judgement and strong documentation.

If you want help turning this post into your operating reality, with clear outcomes in 30 days, we can stand up governance, tool configuration, and advisory support quickly.

Sources

• ICO datasets: quarterly data protection complaints by sector/issue (2024–2025) [ico.org.uk]
• ICO 2024 year‑in‑review (36,049 data protection complaints completed) [dataguidance.com]
• Personnel Today: DSAR complaint volumes up 13.5%, sector shares (finance 14%, general business 9%, online tech/telecoms 7%) [personneltoday.com]
• ICO Right of Access guidance updated for DUAA (reasonable & proportionate; stop‑the‑clock) [ico.org.uk]
• UK Government DUAA factsheet: changes to UK GDPR/DPA on right of access [gov.uk]
• Bird & Bird: ICO flags finance sector DSAR increases (~15%) and accountability recommendations [twobirds.com]
• Housing Ombudsman Annual Complaints Review 2024–25 (rising determinations/upheld rates) [housing-om…man.org.uk]
• Mills & Reeve: Public sector DSAR challenges and enforcement action for backlogs [mills-reeve.com]
• EDPB Annual Report 2024: cross‑border cooperation and coordinated enforcement context [edpb.europa.eu]
• Burness Paull: DSARs on the rise and operational complexity drivers (employees, comms tools) [burnesspaull.com]

  Contact us for expert help.