Employers are being urged to sharpen their processes for handling data subject access requests (DSARs), after the Information Commissioner’s Office (ICO) stepped up enforcement activity against organisations that repeatedly miss deadlines.
Under the UK GDPR, businesses must respond to DSARs “without undue delay” and within one month of receipt. This can be extended by up to two months if requests are complex or numerous, but organisations must notify individuals within the first month and explain the reasons for any delay.
Resourcing not an excuse
The ICO has made clear that a lack of resources will not justify late or incomplete responses. Recent reprimands, including action against Greater Manchester Police, highlight that sustained failures attract scrutiny and can escalate to more serious sanctions if not remedied.
Ownership and triage essential
Experts recommend appointing a single accountable owner for each request to avoid delays. Early triage should map custodians, date ranges, systems, and potential exemptions—such as legal privilege or confidential references—so the scope is clear from the outset.
Clarification and pausing the clock
Employers may seek clarification where large volumes of data are involved, and the statutory timeframe can be paused while awaiting a reply. However, this must be proportionate and properly documented, with reasons recorded for the pause and evidence of when the clock restarted.
Proportionate search and redaction
The legal duty is to carry out a reasonable and proportionate search, not an exhaustive one. This should include emails, HR systems, messaging platforms, and CCTV where relevant. Data held on personal devices generally falls outside scope unless there is good reason to believe work data is stored there. Third-party data must be carefully balanced—consent or redaction should be preferred over blanket refusals.
Exemptions and settlements
Exemptions—such as legal professional privilege or management forecasting—must be applied narrowly and explained to the individual. Employers are reminded that settlement agreements or NDAs cannot remove DSAR rights, and requests remain valid even during grievances or Employment Tribunal proceedings.
Practical steps
HR teams are encouraged to:
Maintain an audit trail of all decisions, redactions, and communications
Provide copies of personal data in an intelligible format, with supplementary information such as retention and processing purposes
Use technology such as e-disclosure and redaction tools to manage volume efficiently
The ICO advises that proactive remediation, improved workflow tools, and staff training can significantly reduce the risk of enforcement. Training line managers to spot DSARs—including informal requests via email or social media—is seen as a crucial safeguard against compliance failures.
This article was created with insights from Lex HR - your always-on HR legal assistant. Lex HR helps HR professionals navigate complex employment law with confidence, providing real-time, reliable advice tailored to your needs. Try it free today and see how much easier compliance can be.
