9 September 2025

DSAR Sins: From Illegal Deletion to Deadlines

By Jess Pembroke, Director of Information Law Services

A Data Subject Access Request (DSAR) is a key part of the General Data Protection Regulation (GDPR). It empowers individuals to access their personal data. The aims of a DSAR are  to rebalance the power between individuals and organisations giving people greater control over their information and the ability to correct or challenge inaccuracies or issues. In this blog, we explore five common issues when handling DSARs and how organisations can avoid them.

  • Missed Deadlines

Generally, DSARs must be responded to within one calendar month. However, depending on the size of your organisation and the complexity of the request, meeting this deadline can be challenging.

In some cases, frontline staff may not recognise a DSAR or know who to forward it to. This delay, sometimes lasting weeks can significantly reduce the time available for a proper response. If the Data Protection Officer (DPO) or Lead, not immediately receive a DSAR  request because of any delay in letting them know,  then adds pressure and makes it difficult to collate and provide the information on time.

The key is to train and engage with the frontline teams who manage your organisation’s inboxes and social media channels (e.g. “info@” or “enquiries@”). These are often the first points of contact for DSARs. Ensuring they know where to forward requests can ensure that you have enough time to respond.

  • Excessive Scope

DSARs are often submitted during disputes such as employment issues or complaints. Requesters may expect the DSAR to reveal broader organisational decisions or other people’s opinions. However, the scope of a DSAR is limited to personal data about the requester and in some cases other people’s opinions, complaints or other thoughts about them may be redacted to protect the rights of others[1].

It is important to ensure those requesting a DSAR understand they will only receive their personal data. This will  not include any internal decision-making and that third-party personal data may be redacted. This can help manage expectations and reduces frustration.

  • Inflated Expectations

Some requesters now use AI to craft highly detailed DSARs. While this can make requests more precise, it can also raise unrealistic expectations about what will be disclosed. When the response includes lawful redactions or limited data, it may lead to disappointment or complaints.

Provide clear, upfront communication about what the DSAR process involves and what kind of information the requester is likely to receive.

  • Over-Enthusiastic Responses

Sometimes, well-meaning staff members respond to DSARs directly without involving the DPO. Or maybe the organisation doesn’t have a DPO and doesn’t have a central process for handling requests. This can result in the accidental disclosure of others third-party personal data, breaching GDPR.

It’s important to ensure that teams are trained on what our request is and who should handle it. If your organisation doesn’t have a designated DPO, consider seeking external support such as Naomi Korn Associates Outsourced Data Protection Officer service.

  • Illegal Deletion or Destruction

Under Section 173 of the Data Protection Act 2018, it is a criminal offence to erase, block, or destroy data after receiving a DSAR, with the intent of preventing disclosure. The ICO has recently prosecuted the director of a care home in Bridlington, Yorkshire has been fined for refusing to respond to a request for a resident’s personal information[2]. Cases of individuals deliberately straining information are rare however it’s important to ensure that all staff are aware of their responsibilities in relation to this.

Ensure training your data protection training covers data rights and the potential for personal prosecution in such cases.

Handling DSARs properly is not only a legal requirement but also demonstrates your organisation’s respect for personal data. While your organisation may need this data for its services, it must also be ready to be accountable to the individuals whose personal data it holds.

Want to learn more?

Join our training course to gain practical skills and confidence in managing DSARs effectively. Book now for our final 2025 date, 17 October (9:30am-1pm): https://www.eventbrite.co.uk/e/data-protection-rights-17-october-2025-930am-1pm-tickets-1054713970879

To learn more about the course, please visit the webpage or summary video, and check out your chance to complete your full Data Protection Intermediate Certificate in just three days in October, including the Data Protection Rights and DSARs course here: https://www.eventbrite.co.uk/e/intermediate-certificate-in-data-protection-tickets-1321193016879

Contact us at info@naomikorn.com for further information.

[1] What should we do if the request involves information about other individuals? | ICO

[2] Care home director found guilty of ignoring request for personal information | ICO

Recent News

A steam train travelling on a track situated along the sidewalk above the level of the shops in New York; carriages and horse-drawn trolley buses are in the street. Wood engraving by J.R. Brown. Wellcome Collection.
13 May 2026

Commercial licensing: Choosing the right partners

read story
29 April 2026

New Course Announcement: AI, Copyright and Cultural Heritage

read story
Mediamodifier via Unsplash
22 April 2026

Small Fine, Big Message: Is the ICO fining the public sector again?

read story
The Music Room, Gustav Pope, York Castle Museum, via ArtUK
15 April 2026

Understanding copyright in audio visual works

read story

Back to News

Discover more from Naomi Korn Associates

Subscribe now to keep reading and get access to the full archive.

Continue reading