25 March 2026
Data Subject Access Requests: A Burden for Small Businesses?
By Jess Pembroke, Director of Information Law Services
Data Subject Access Requests (DSARs) are a fundamental right. When I deliver training, I often explain DSARs in the context of democracy: data protection laws are designed to rebalance power between individuals and large data‑processing organisations. Historically this meant the state government departments but in 2026, the biggest data controllers in most people’s lives are more likely to be social media platforms, major retailers, fitness apps, or large private‑sector firms.
To illustrate this balance of power, I often use this example from a football club. Clubs process personal data for millions of fans from ticket sales to biometrics and CCTV footage. In one case, a fan[1] used a DSAR to obtain CCTV evidence linked to their season ticket dispute. A single individual, armed with a legal right, was able to challenge a powerful organisation. That’s exactly how DSARs are meant to work.
What happens when the organisation on the receiving end isn’t a giant when it’s a small or medium‑sized company with limited capacity, no formal Data Protection Officer (DPO),[2] and perhaps no previous experience handling a request?
DSARs often follow a rupture in the relationship, a complaint, a grievance, a breakdown in trust. At the very moment both parties may be feeling defensive and strained, the small business must navigate a complex legal process.
In addition to this, you normally only have one calendar month to respond. The countdown begins the day the request is received, not the date you read it or acknowledge it. If the request is particularly complex or if you have received multiple requests, you may be able to extend the deadline by a further two months, but this can still be a challenging deadline for a small business with limited experience of these requests.
Here are some key points for smaller organisations:
1. Small and Medium‑Sized Businesses Are Not Exempt
The right of access applies regardless of the size of the organisation. If you process personal data you may receive a DSAR, and you must respond.
2. Understanding a DSAR: What It Is and Isn’t
A Data Subject Access Request (DSAR) enables an individual to ask to see the personal data you hold on to them. However, despite what some requestors believe, a DSAR is not an automatic right to everything with their name or initials in. It covers their personal data not necessarily colleagues’ opinions, business information, or data that involves third parties where disclosure would infringe someone else’s rights.
It may be worth informing the requester upfront that they may not have access to information containing data about other individuals. This is important because people sometimes seek details regarding what a colleague or customer has said about them, and such information may not always be available due to the rights of the third parties.[3]
3. From the Business Perspective: You May Not Want to Handle It… But You Usually Have To
Certain DSARs can be processed quickly and efficiently, while others may present challenges. Some requests are broad in scope, such as those asking for “all data you hold about me.” which can lead to having to review thousands of emails.
Even when a request is difficult or feels unreasonable, you must still work through it. You can refuse a DSAR in limited cases for example, if it is manifestly unfounded[4] or excessive but the threshold for refusal is high and must be justifiable.
4. Clarifying the Scope: You Don’t Have to Provide Everything
A DSAR can often be narrowed, working with the requestor you can ask them about a set time period or communications between certain individuals; however, they could push back and refuse to narrow the scope. Again, that doesn’t mean you have to provide everything, small businesses are expected to carry out a “reasonable search” for the requester’s personal data but what is ‘reasonable’ depends on the resources available.
A DSAR arriving especially during a dispute can feel overwhelming. Without experience, the staff at the small business often worry about what they must disclose, how to redact third‑party information, what constitutes personal data, or where to start searching.
Where to Get Help
If you’d like to feel more confident handling DSARs, we can help.
Join our Key Data Protection Rights Course | Naomi Korn Associates
Ideal for SMEs who want practical, accessible training, this course will next run on 28 April (9:30am-1pm). Book your place now!
Or, if you’d rather outsource the whole process:
Outsourced Data Subject Access Requests (DSARs) – Naomi Korn Associates
Our specialist team handles hundreds of DSARs every year and can support you at any stage of the process. Find out more here!
[1] Leeds United season ticket holder uses CCTV to disprove club’s non-attendance suggestion
[2] Do I need a Data Protection Officer (DPO)? | ICO
[3] Exemptions: can we refuse a SAR if it involves information about other people? | ICO