Employees are becoming more concerned about how their data is stored and processed and so responding to Data Subject Access Requests (DSARs) correctly is a critical obligation for organisations. However, it is also an area, according to B P Collins’ employment team, where mistakes are commonly made and this article outlines some of the most frequent errors and how to avoid them.
1. Failing to verify the identity of the requester adequately.
Under Article 12(6) of the UK GDPR, if there are reasonable doubts about the identity of the person making the request, the organisation can request additional information to confirm their identity. However, this must be proportionate and reasonable. For instance, if the requester is a current employee known to the organisation, demanding unnecessary documentation, such as utility bills, could be deemed unreasonable. Organisations should ensure their processes are robust but not overly burdensome, as failing to strike this balance can lead to delays or non-compliance
2. Not conducting a reasonable and proportionate search for the requested data.
The Data (Use and Access) Act 2025 (DUAA 2025) has clarified that organisations are only required to perform such a reasonable and proportionate search, rather than an exhaustive one. This means that organisations should focus on identifying and providing the relevant personal data without expending disproportionate resources. However, failing to document the search process or overlooking relevant data could result in non-compliance
3. Misunderstanding the scope of the right of access.
The right under Article 15 of the UK GDPR is to access personal data, not necessarily to receive copies of documents. Organisations may mistakenly believe they must provide entire documents, but they can extract the relevant personal data instead. This approach is particularly useful when dealing with mixed data, where the personal data of the requester is intertwined with that of others. In such cases, redacting third-party information or seeking their consent is essential to comply with Article 15(4), which protects the rights and freedoms of others
4. Failing to handle third-party data appropriately.
Organisations must assess whether disclosing information would adversely affect the rights of third parties, such as trade secrets or intellectual property. If so, they should redact or omit such information while still providing as much of the requester’s personal data as possible. This requires careful judgment and robust systems to identify and address third-party rights
5. Mishandling requests deemed “manifestly unfounded” or “excessive.”
While these are valid grounds for refusing a DSAR, the burden of proof lies with the organisation to demonstrate why the request meets these criteria. For example, a request may be manifestly unfounded if the individual has no genuine intention to exercise their rights, such as using the DSAR as leverage in negotiations. However, organisations must not assume this without clear evidence, as unjustified refusals can lead to enforcement actions by the Information Commissioner’s Office (ICO).
To avoid these mistakes, organisations should implement clear policies, provide staff training, and maintain detailed records of their decision-making processes when responding to DSARs. This ensures compliance with the UK GDPR and minimises the risk of disputes or penalties.
For further help and advice on this, and any other employment matter, please get in touch with B P Collins’ employment team at enquiries@bpcollins.co.uk or call 01753 889995.
