GDPR15 April 2026· 12 min read← All posts

Help! I've Just Received My First DSAR — What Do I Do?

You've just opened an email — or maybe a letter — and someone is asking for "all the personal data you hold about me." They might have called it a Subject Access Request, a SAR, or a DSAR. You might never have heard of any of those terms before this morning.

Don't panic. You're not in trouble (yet), you have time to get this right, and by the end of this guide you'll know exactly what to do. This is a step-by-step walkthrough for the person who actually has to deal with this — not a legal textbook, not a sales pitch for a law firm, just the practical reality of what needs to happen and in what order.

First things first: what actually is a DSAR?

A DSAR — Data Subject Access Request — is a legal right under Article 15 of UK GDPR. It means any individual can ask your organisation for a copy of the personal data you hold about them, along with some information about how and why you're processing it.

The key things to know right now:

It doesn't need magic words. The person doesn't have to use the phrase "Subject Access Request" or cite any legislation. An email saying "Can you send me everything you have on me?" counts. So does a verbal request, though you'll want to note it down. If in doubt, check the ICO guidance on how to recognise a SAR.

Motive doesn't matter. Even if you suspect the person is fishing for ammunition ahead of a complaint or legal claim, the request is still valid. You can't refuse because you don't like whythey're asking.

You almost certainly have to comply. If your organisation processes personal data in any form — customer records, HR files, emails, CCTV, CRM entries, spreadsheets — you're a data controller and DSARs apply to you . It doesn't matter whether you're a two-person company or a 500-person housing association. (The ICO's is the definitive reference.)

You don't need an expensive solicitor. Unless the situation is genuinely complex (and most first DSARs aren't), you can handle this yourself by following a clear process.

Step 1: Confirm you've received a valid request (Day 1)

Before the clock starts ticking, check three things:

Is this actually a DSAR? If someone is asking for their own personal data — even informally — it's a DSAR. If they're asking for general company information, that's something else (and if you're a public body, it might be a Freedom of Information request instead).

Can you identify the person? You need to be reasonably sure that the person making the request is who they say they are. If they've emailed from an address you already have on file, that's usually sufficient. If you have reasonable doubts, you can ask for ID — and under the Data (Use and Access) Act 2025, you can now formally "stop the clock" on your response deadline while you wait for verification. But don't use this as a stalling tactic; ask promptly and only if you genuinely need to.

Is the request clear enough to act on? If someone asks for "everything you hold about me," that's broad but valid. If the request is genuinely unclear — you're not sure which "John Smith" they mean, or they've referenced data you don't think you hold — you can ask for clarification. Again, the clock pauses while you wait for their reply, but you need to ask quickly and explain what you need.

Your action: Log the request, note the date received, and acknowledge it. A simple email saying "Thank you for your request — we've received it and will respond within one calendar month" is fine.

Step 2: Understand your deadline (Day 1)

You have one calendar month from the day after you receive the request. Not 30 days — one calendar month. So if you receive a DSAR on 15 March, your deadline is 15 April.

If the request is genuinely complex, or the same person has sent you multiple requests, you can extend by up to two additional months (making three months total). But you must tell the person within the original one-month window that you're extending and explain why.

In practice, most straightforward DSARs — especially a first one from a single individual — should be manageable within the standard month.

Your action: Put the deadline in your calendar. Work backwards from it. Treat it as a hard deadline, because it is one.

Step 3: Find the data (Days 2–10)

This is usually the most time-consuming part, and where most organisations underestimate the effort involved.

You need to search everywhere you might hold personal data about this individual. Think broadly:

Digital systems: Email (including sent items and archives), your CRM or customer database, HR/personnel systems, finance and payroll systems, project management tools, shared drives, cloud storage, messaging platforms like Slack or Teams.

Physical records: Paper files, filing cabinets, notebooks, printed correspondence.

Less obvious places: CCTV footage, call recordings, website analytics tied to an identifiable individual, door access logs, any notes or minutes from meetings where the person is mentioned.

You don't have to turn your organisation inside out. The Data (Use and Access) Act 2025 now confirms in statute that you only need to conduct reasonable and proportionatesearches. That means you should search the systems where you'd reasonably expect to find data about this person, but you're not required to trawl through every backup tape or archived server on the off-chance something exists. (The ICO's guidance on what to consider when responding to a request covers this in more detail.)

The important thing is that you can explain and justify the scope of your search if challenged. "We searched our CRM, email, HR system, and shared drive" is a defensible answer. "We only checked one folder" probably isn't.

Your action:Make a list of every system and location where this person's data might exist. Search each one systematically and save or export what you find.

If you're a housing association: Your data is likely spread across tenancy management systems, repairs databases, complaints logs, email correspondence, and potentially CCTV. Tenancy disputes and complaints are among the most common DSAR triggers in the housing sector. Check all of these — and don't forget informal records like notes from phone calls or handwritten file notes.

Step 4: Review what you've found (Days 10–20)

You now have a pile of documents, emails, database exports, and possibly some CCTV footage. Before you hand any of it over, you need to review it carefully. This is where the real work happens, and where mistakes are most commonly made.

There are three things you're looking for:

A. Third-party personal data

This is the big one. Your DSAR response must include the requester's personal data, but it must notinclude identifiable personal data belonging to other people — unless those individuals have consented or it's reasonable to disclose without consent.

In practice, this means you'll need to redact(black out or remove) the names, contact details, and any other identifying information of third parties that appear in the documents you've gathered. Think about:

Other people's names and email addresses in correspondence
Other tenants, employees, customers, or service users mentioned in records
Staff names and opinions in internal notes (though note: factual information about staff actions in their professional capacity is sometimes disclosable — this is a grey area that depends on context)

Redaction is often the most labour-intensive step in a DSAR response. If you're dealing with a handful of pages, you can do it manually — a black marker on a printout, or the redaction tool in Adobe Acrobat. But if you're looking at 50, 100, or 200+ pages (not uncommon in housing or HR contexts), manual redaction becomes a serious time sink.

This is where a tool like DactIQ can help. DactIQ is a desktop application that uses a combination of pattern-matching rules and a local AI model to automatically identify and redact personal data in your documents. It runs entirely offline — your documents never leave your machine — and operates on a pay-as-you-go credit basis, so you're not paying for an enterprise subscription you'll use twice a year. If you're handling your first DSAR and staring at a stack of PDFs that need redacting, it can save you hours of manual work.

B. Exemptions

There are certain categories of information you may be entitled to withhold, even though they relate to the requester. The most commonly relevant ones for SMEs are:

Legal professional privilege: Communications with your solicitor for the purpose of getting legal advice are generally exempt.
Management planning: Information about management forecasts or plans that would be prejudiced by disclosure (e.g., planned redundancies that haven't been announced).
Confidential references: References you've given about the individual to a third party are exempt — but references you've received about them generally are not.
Crime and taxation: Information that would prejudice the prevention or detection of crime.

If you're unsure whether an exemption applies, err on the side of disclosure. The ICO generally expects organisations to disclose unless there's a clear and specific reason not to.

C. Is anything missing?

Cross-check what you've found against what you'd expect to hold. If the person was a long-standing customer or tenant, a response containing only three emails will look incomplete and may prompt a complaint.

Your action: Review every document. Redact third-party personal data. Flag anything you think might be exempt. Prepare a clean set of documents for disclosure.

Step 5: Prepare your response (Days 20–25)

Your response needs to include two things:

1. The data itself. Provide it in a commonly used electronic format — PDF is standard. If the requester asked for a specific format, try to accommodate that.

2. Supplementary information. Under Article 15 of UK GDPR, you also need to tell them:

Why you're processing their data (the purposes)
What categories of personal data you hold
Who you've shared it with (or categories of recipients)
How long you'll keep it (or the criteria you use to decide)
Their rights — including the right to complain to the ICO
Where the data came from, if you didn't collect it directly from them

This doesn't need to be a legal document. A clear covering letter or email that addresses each of these points in plain language is fine. Many organisations use a standard template for this part.

Your action: Write a covering letter that includes the supplementary information above. Attach the redacted documents. Have someone else in your organisation give it a final sense-check if possible.

Step 6: Send it (Before your deadline)

Send your response securely. If you're emailing, consider password-protecting the attachments and sending the password separately. If the response contains sensitive data, recorded delivery or a secure file-sharing platform may be more appropriate than a regular email.

Keep a copy of everything you sent, including the covering letter, all attachments, and a note of the date and method of delivery. If the requester later complains to the ICO, you'll need to demonstrate what you provided and when.

Your action: Send the response. Log the completion date. File your records of the search, the review process, and what was disclosed.

What if it goes wrong?

You miss the deadline: Contact the requester as soon as you realise, explain the delay, and provide a revised timeline. The ICO will look more favourably on organisations that communicate proactively than those that go silent. Missing a deadline isn't automatically a fine — but ignoring the request entirely could be.

The requester isn't satisfied: From 19 June 2026, UK data protection law requires you to have a formal complaints-handling process. If someone complains about your DSAR response, you'll need to acknowledge it within 30 days and respond without undue delay. It's worth getting this process in place now. If you can resolve the complaint directly, the matter usually ends there. If you can't, the requester can escalate to the ICO.

You accidentally disclose someone else's data: This is a data breach, and depending on the severity, you may need to report it to the ICO within 72 hours. This is exactly why the redaction step matters — it's the most common source of errors in DSAR responses.

A quick-reference checklist

For the next DSAR that lands on your desk, here's the short version:

Log it. Date received, who from, what they've asked for.
Acknowledge it. Confirm receipt and tell them you'll respond within one month.
Verify identity if needed — and stop the clock while you wait.
Search every system where their data might reasonably exist.
Review everything you've found. Redact third-party data. Check for exemptions.
Prepare a covering letter with the required supplementary information.
Send it securely, before the deadline.
File your records of the whole process.

You've got this

A DSAR can feel intimidating the first time, but it's fundamentally just a structured process: find the data, review it, redact what shouldn't be disclosed, and send it back with the right supporting information. The legal framework is there to protect individuals' rights, not to trip up well-meaning organisations — and the ICO's approach is generally proportionate and pragmatic.

If you're handling DSARs regularly — even a handful a year — it's worth investing a small amount of time in setting up a repeatable process: a checklist, a standard covering letter template, and a reliable way to handle redaction. That way, the next one won't feel like the first one.