If you run a business, you’ve probably heard of DSARs (Data Subject Access Requests). The term might sound intimidating, but at its core, a DSAR is simply when someone asks:

  • “What information do you hold about me?”
  • “Why are you using it?”
  • “Who have you shared it with?”

Under UK GDPR (and EU GDPR if you operate there), every individual has the right to access their personal data. And if you’re the organisation collecting and using that data, you’re on the hook to provide an answer.

What Exactly Is a DSAR?

A Data Subject Access Request is a legal right that allows people to see the personal data an organisation holds about them. It doesn’t matter whether the person is an employee, a customer, a supplier, or even a job applicant—if you’re storing their personal information, they can ask to see it.

Do Private Companies Have to Respond?

In short: Yes.

  • If you’re a data controller, you must respond. It doesn’t matter if you’re a private business, a public authority, a charity, or a sole trader. If you collect personal data and decide what it’s used for—such as employee records, customer contact details, or supplier information—you’re a data controller. That means DSARs apply to you.
  • There are no blanket exemptions just for being private. There are only limited, specific exemptions in the law. For example, if responding would reveal someone else’s personal data, interfere with an ongoing investigation, or breach legal privilege. But these are the exception, not the rule.

Key Rules You Need to Know

Handling a DSAR doesn’t need to be overwhelming, but there are some important rules to follow:

  • ⏳ Deadline: You have one month to respond. If the request is particularly complex, you can extend this by up to two months, but you must let the requester know within the first month.
  • 💷 Cost: In most cases, you cannot charge a fee. The only time you can ask for payment is if the request is clearly unfounded or excessive.
  • 📂 Format: Provide the information in a clear, accessible way—often as a PDF or other electronic format.
  • 🪪 Verification: You’re allowed to ask for proof of identity to make sure you’re giving the data to the right person.

Why Responding Matters

Failing to respond properly to a DSAR can cause serious problems:

  • The individual can complain to the Information Commissioner’s Office (ICO) in the UK, or the relevant data regulator elsewhere.
  • The regulator can investigate, take enforcement action, and even issue fines.
  • And just as importantly, ignoring requests can damage the trust your employees, customers, and clients place in you.

The Bottom Line

If you’re a private company and you handle personal data, yes—you need to respond to Data Subject Access Requests.

Think of DSARs not just as a compliance obligation, but as an opportunity to show transparency, accountability and respect for people whose data you hold. When handled well, they can strengthen trust and demonstrate that your organisation takes data protection seriously.

#datacontroller #DataProtection #GDPR #dpo #privacy #compliance #dsars #sars