DSARs and the Risk Budget Blindspot
Companies routinely underestimate the true exposure that a single data subject access request can create until one arrives in the wake of a dispute they were already losing. Here is why that complacency is no longer defensible.
Every individual whose personal data a company touches, its employees, customers, clients, contractors, even failed job applicants, holds a statutory right under UK GDPR to ask that company: what do you hold on me, and show me it. This is the data subject access request, or DSAR, and it is one of the most underestimated instruments of legal exposure in modern business. Not because it is obscure, but because most organisations meet it with a mixture of surprise, improvisation, and insufficient resource. The cost of that unpreparedness is substantial, and it compounds.
A Right, Not a Courtesy
Under Article 15 UK GDPR, the right of access is unambiguous. A data subject may request confirmation of whether their personal data is being processed and, if so, a copy of that data along with supplementary information including its purposes, recipients, and retention periods. The right attaches to any identifiable individual, there is no carve-out for inconvenient relationships. An employee facing disciplinary proceedings, a customer in a contractual dispute, a redundant executive: all carry the same entitlement as the most benign enquirer. The restrictions that exist are deliberately narrow. Exemptions under Schedule 2 of the Data Protection Act 2018, for legal professional privilege, management forecasting, negotiations, must be applied carefully and documented. They are not a general licence to withhold uncomfortable material. Organisations that treat them as such invite enforcement action and, more consequentially, adverse inference in the very proceedings that prompted the DSAR in the first place.
The Cost Is Not Abstract
The commercial reality of an unmanaged DSAR response is best understood through its component costs, each of which scales sharply in the absence of prior process. Without a data inventory or ROPA to consult, retrieval alone consumes days of senior staff time across IT, HR, and Legal, functions that have no shared language for the task and no established workflow to coordinate it. Legal review of the retrieved material compounds this: where documents have not been categorised or managed under a retention policy, the review is effectively a volume exercise conducted under time pressure. Redaction of third-party personal data, which must be applied carefully to protect individuals who are not the requester, becomes a manual, line-by-line undertaking with no tooling and no precedent to draw from. External counsel, engaged reactively, must be briefed from scratch, at a point when the clock is already running.
That clock is unforgiving. The statutory response window is one calendar month, extendable to three only where complexity genuinely justifies it. Miss it, and the organisation is in breach of Article 12 , independently of whether the substantive response, when it eventually arrives, is adequate. For a company with no established process, the procedural breach often arrives before the substantive one.
Regulatory Exposure: The Wider Lens
A poorly handled DSAR, whether late, incomplete, or improperly redacted, can attract a complaint to the ICO. That complaint, in isolation, may result in nothing more than a regulatory letter. But where it reveals indicators of wider systemic failure, no privacy notice, absent records of processing activities, no lawful basis documentation, the regulator may elect to examine the organisation’s data governance more broadly. The DSAR becomes a gateway. An investigation into one mishandled access request can, and does, expand into a formal assessment of the organisation’s entire processing framework. For companies in regulated sectors, financial services, healthcare, professional services , the reputational consequence of a regulatory finding extends well beyond the ICO’s own enforcement, into FCA reporting obligations, client notifications, and market standing. The ICO regards DSAR handling as a proxy for organisational data maturity: a company that cannot respond coherently to an individual’s request to see their own data is unlikely to have its broader processing activities in order. Regulators are efficient. They follow the signal.
Privacy as Commercial Infrastructure
The framing of privacy compliance as a cost centre is analytically wrong, and increasingly commercially untenable. A robust DSAR framework does not exist in isolation, it requires, and therefore drives, the foundational elements of a mature privacy programme. A current ROPA under Article 30 is a prerequisite; without one, data retrieval for a DSAR is forensic guesswork. Lawful basis documentation must be capable of withstanding scrutiny at the point of challenge. Privacy notices for each data subject category, employees, customers, suppliers, must provide the Article 13 and 14 information that any DSAR response will reference back to. A retention policy limits what must be searched and therefore the cost, and litigation risk, of what is found. A breach response protocol must coordinate with DSAR handling, since a breach is frequently what triggers one. And a clear internal escalation pathway, who owns the request, who reviews legally sensitive material, who signs off the response, must exist before the request arrives, not after. Each of these elements is independently required under UK GDPR. The DSAR process simply makes their absence visible, at the worst possible time.
The Commercial Case for Acting Now
For UK and European businesses operating at scale, the asymmetry is stark. The cost of implementing a DSAR policy, designing the workflow, training staff, integrating it with existing legal and HR processes , is fixed, modest, and largely a one-time investment. The cost of the first unmanaged DSAR, in external legal fees, senior management time, regulatory exposure, and litigation risk, will typically exceed it many times over. More significantly, DSAR exposure clusters at precisely the moments of highest organisational stress: the dispute that was already going badly, the breach already under investigation, the employment claim from the most senior departing employee. Unpreparedness does not merely add cost to these situations, it compounds the risk already present. Companies that invest in privacy compliance infrastructure are, in practical terms, purchasing the ability to respond to adversity from a position of control rather than exposure.
Leave a Reply