The Governance Risk & Compliance Hub - Data Protection and Cybersecurity Specialists Logo.
Contact us

DSAR Support: How to Respond to Requests Correctly

DSAR support – responding to Data Subject Access Requests under UK GDPR

 Introduction

Responding to a Subject Access Request (SAR) should be a routine GDPR process.
In reality, it is one of the most anxiety‑inducing compliance tasks organisations face.

Disclose too little, and you risk an ICO complaint.
Disclose too much, and you may expose confidential information, third‑party data, or legal risk.

This balancing act leads many organisations to ask:

“How do we respond to a Subject Access Request properly: without accidentally disclosing something we shouldn’t?”

This article explains where organisations go wrong, what the law actually requires, and how to strike the right balance when responding to SARs.

Why “Playing It Safe” Often Creates More Risk

A common instinct when handling SARs is to take an overly cautious approach:

  • Heavy redaction
  • Broad withholding of documents
  • Excluding internal emails “just in case”
  • Providing data without explanations

Ironically, this approach is a major cause of Subject Access Request complaints.

The ICO has consistently made it clear that:

  • SAR responses must be complete
  • Redactions must be justified
  • Decisions must be defensible and documented

A response that looks safe internally can easily appear non‑transparent or obstructive to a data subject, increasing regulatory risk rather than reducing it.

What Counts as “Personal Data” in a SAR?

Before deciding what to redact or withhold, organisations must understand what they are legally required to disclose.

Personal data includes:

  • Information that identifies an living individual
  • Information that relates to a living individual
  • Opinions or assessments about an individual
  • Internal correspondence if the individual is identifiable from context

This means SAR scope often includes:

  • Emails, Teams messages, and attachments
  • Manager notes and internal commentary
  • Case management systems and CRM logs
  • Draft documents involving decisions about the individual

What it does not include

  • Purely factual information about processes with no personal link
  • Anonymous statistical data
  • Information about the organisation itself (unless it relates to the individual) this is also known as business/corporate data.

Misclassifying information is one of the most common causes of incomplete SAR responses.

Common Redaction Mistakes Organisations Make

1. Redacting opinions or comments

Internal opinions are still personal data if they relate to the individual, even if they are uncomfortable or informal.

SARs are not limited to positive or finalised information.

2. Removing names without context

Redacting names alone may still leave individuals identifiable through:

  • Job titles
  • Reporting lines
  • Unique roles

Redaction must be meaningful, not cosmetic.

3. Automatically withholding internal emails

There is no blanket exemption for “internal discussions”.

If an email:

  • Relates to the individual, and
  • Does not fall under legal privilege or another exemption

…it is likely disclosable.

4. Over‑reliance on “third‑party data”

Third‑party data does not automatically exempt disclosure.

The correct approach is:

  • Balance the rights of both parties
  • Redact where proportionate
  • Disclose where reasonable

A complete refusal is rarely justified.

When You Can Withhold or Limit Disclosure

UK GDPR does allow organisations to restrict disclosure in specific situations, but these must be applied narrowly and evidentially.

Common lawful bases include:

  • Legal professional privilege
  • Protection of another individual’s rights
  • Management forecasting or negotiations
  • Crime, taxation, or regulatory exemptions

What matters is not whether an exemption exists, but:

  • Whether it applies to the specific data
  • Whether the decision is documented
  • Whether the response explains the limitation clearly

Vague or unexplained withholding is a frequent ICO criticism.

The Importance of Contextual Information

A compliant SAR response is not just a document dump.

Organisations must also explain:

  • The purpose of processing
  • The lawful basis relied upon
  • Data sources (if not collected directly)
  • Retention periods
  • Sharing recipients
  • The individual’s rights and complaint options

Failing to include this information is a technical breach, even if all personal data has been disclosed.

Why Over‑Disclosure Can Be Just as Risky

While under‑disclosure attracts regulatory complaints, over‑disclosure creates different risks:

  • Breach of third‑party confidentiality
  • Exposure of commercially sensitive information
  • Regulatory conflicts (e.g. employment, financial, or safeguarding duties)
  • Escalation of disputes or litigation

Poor redaction decisions can quickly become secondary data breaches.

This is why SAR responses should be treated as governance decisions, not administrative tasks.

Key Takeaways

  • “Disclose everything” is not compliance, it’s risk
  • “Redact heavily” is not defence, it’s obstruction
  • SAR responses require judgement, documentation, and governance
  • Most complaints arise from poor decision‑making, not bad intent

Handled correctly, SARs become routine.
Handled poorly, they expose wider compliance gaps.

Need Support with a High‑Risk Data Subject Access Request?

If you are handling:

  • A contentious or sensitive SAR
  • An employee or dispute‑driven request
  • A SAR involving significant internal correspondence
  • A potential ICO escalation

GRC Hub can help you respond confidently, proportionately, and defensibly.

👉 Speak to us about SAR support 

 

The Governance Risk & Compliance Hub - Data Protection and Cybersecurity Specialists Logo.

Governance Risk & Compliance Hub LIMITED

© 2026 All rights reserved

Linkedin