← All posts

09/06/2026 · 6 min read

How to handle a subject access request (DSAR), step by step

A calm, practical walkthrough of responding to a data subject access request under UK GDPR, including the new stop-the-clock rule.

A subject access request, or DSAR, is someone asking for a copy of the personal data you hold about them. It is one of the most common data protection tasks, and one of the most stressful if you have no process. Here is a straightforward way through it.

First, know the basics

  • A request can arrive in any format: email, a letter, even a comment on social media. There is no official form and no magic words.
  • You usually have one calendar month to respond.
  • It is normally free. You can only charge, or refuse, where a request is manifestly unfounded or excessive, and you should be able to justify that.

The steps

  1. Recognise it. Train whoever reads the inbox to spot “can you send me my data” in all its forms and flag it straight away.
  2. Log it and start the clock. Record the date received. That date sets your one-month deadline.
  3. Verify who you are dealing with. Confirm the requester’s identity before you hand over anything. The Data (Use and Access) Act 2025 added a stop-the-clock rule: if you reasonably need more information to find their data or confirm identity, you can pause the deadline until you get it.
  4. Clarify the scope if it is vast. You can ask what specifically they are after. That is also a point where the clock can pause while you wait for a reasonable answer.
  5. Search reasonably. The law now says in black and white that your search need only be reasonable and proportionate. You do not have to turn over every stone; you do have to look properly in the obvious places.
  6. Redact other people. Remove or redact personal data about third parties, unless they have agreed or it is reasonable to disclose.
  7. Respond in time. Provide the data in an accessible form. For complex or numerous requests you can extend by up to two further months, but tell the person within the first month and explain why.

Where people slip up

The two classic failures are missing the request entirely because it did not look official, and blowing the deadline because nobody logged the start date. A simple log fixes both. If you keep a clear picture of what data lives where, the search step stops being a fire drill.

For a one-line definition you can share with colleagues, see DSAR in the jargon-buster.

Get your records in order

The Data Protection Register turns plain-English answers into the records the law asks for, and keeps them current. See where you stand with our free check.

This is general information, not legal advice.