Handling data subject access requests effectively for UK SMEs

For many UK SMEs, a data subject access request, often shortened to DSAR, can feel like an administrative distraction. In practice, it is a normal part of running a business that holds personal data. A DSAR is simply a request from an individual asking for access to the personal data you hold about them, and for certain related information about how you use it.

Handled well, a DSAR should be a controlled process rather than a scramble. The aim is not to over-engineer it. The aim is to respond consistently, protect other people’s information, and avoid unnecessary delay. For smaller organisations, that usually means having a clear owner, a sensible search plan, and a straightforward way to review and redact information before it is shared.

What a data subject access request is and why it matters

A plain English explanation for SME teams

A DSAR is a request from a person to see the personal data you hold about them. Personal data means information that identifies, or can be linked to, a living individual. That could include emails, HR records, customer notes, call logs, CCTV images, or records in your finance system.

The request does not need to use special wording. Someone may simply ask, “Please send me everything you hold about me”, or “I want a copy of my data”. If the request is clear enough, treat it as a DSAR and start your process.

For SMEs, the business value of handling DSARs effectively is straightforward. It reduces the risk of missed deadlines, inconsistent responses, and accidental disclosure of someone else’s information. It also helps staff understand where personal data sits across the business, which is useful beyond DSARs themselves.

Common misunderstandings to avoid

One common mistake is assuming a DSAR only applies to formal letters or emails from a solicitor. It does not. Another is thinking you can refuse a request because it is inconvenient or because the requester has been difficult. In most cases, inconvenience is not a reason to ignore the request.

It is also easy to over-collect. Some teams respond by searching every system and every mailbox without a plan. That can create more work than necessary and increase the chance of disclosing irrelevant material. A proportionate search is usually better than a broad, unfocused one.

Finally, do not assume that a DSAR means you must hand over everything without review. You may need to withhold or redact information where it would affect other people’s rights, reveal confidential material, or fall outside the scope of the request.

Set up a simple and reliable DSAR process

Who should own the request and how it should be logged

Every SME should know who owns a DSAR from the moment it arrives. That owner might be the office manager, HR lead, operations manager, or someone in the compliance or IT function. The key point is that ownership should be clear, not shared loosely across several people.

Start with a simple log. Record the date received, who sent it, what they asked for, which systems may hold relevant data, who is helping with the search, and the deadline. A basic spreadsheet is often enough for a small business, provided it is kept securely and updated consistently.

It is also sensible to confirm receipt promptly. You do not need a long message. A short acknowledgement that explains the request is being reviewed and that the business will come back with next steps is usually enough to show the request is being handled.

What information and systems need to be checked

Before searching, map the places where personal data is likely to sit. In a small business, that often includes email, shared drives, HR files, CRM systems, payroll records, finance tools, ticketing systems, cloud storage, and any paper files still in use.

Do not forget less obvious sources. Personal data may also appear in meeting notes, instant messaging tools, call recordings, visitor logs, access control records, or backups, although backups are usually handled differently depending on whether the data is readily accessible. The point is to know where data lives so you can search in a controlled way.

If the business uses outsourced providers, such as payroll or HR software, make sure someone knows how to contact them and what information they can reasonably provide. A DSAR process often depends on internal teams and suppliers working in a coordinated way.

Identify the personal data you hold without overcomplicating it

Typical sources of data in a small business

UK SMEs often hold personal data in a few predictable places. Customer service teams may have email trails and call notes. Sales teams may keep contact details and meeting records in a CRM. HR may hold recruitment notes, contracts, absence records, and disciplinary files. Finance may hold invoices, payment records, and bank details. IT may hold account logs and access records.

When a DSAR arrives, think about the individual’s relationship with the business. A customer, employee, contractor, supplier contact, or job applicant will each have different data sources. That helps you avoid searching systems that are unlikely to contain anything relevant.

It can help to ask a few practical questions at the start. What role did the person have? Which team dealt with them? What time period is relevant? Are there known aliases, previous names, or email addresses that should be included in the search?

How to keep searches proportionate and consistent

Proportionate searching means looking in the places most likely to hold relevant data, using a method that is repeatable. It does not mean searching everything just in case. A consistent approach saves time and makes it easier to explain what you did if the request is later questioned.

Set out a standard search plan. For example, search the requester’s name, known email addresses, employee ID, customer reference, and any common variations. Use the same approach for similar requests unless there is a good reason to change it.

Keep notes on where searches were run and what was found. That record is useful if you need to show how you reached the final response, and it helps the business improve its process over time.

Check what can be shared and what may need to be withheld

Balancing the requester’s rights with other people’s information

A DSAR is about the requester’s personal data, not everyone else’s. In many cases, the material you find will include information about other individuals, such as colleagues, customers, family members, or suppliers. You need to consider whether that information can be disclosed, whether it should be redacted, or whether it should be withheld.

This is where a careful review matters. A simple rule of thumb is to ask whether disclosure would unfairly affect someone else’s privacy or reveal information that the requester is not entitled to see. If so, redaction may be needed before anything is shared.

It is also worth remembering that not every document has to be disclosed in full if only part of it is relevant. A single email chain may contain the requester’s data, another person’s data, and internal discussion that is not necessary to include. Review the content line by line rather than treating the whole document as one block.

When redaction is usually needed

Redaction means removing or hiding information before disclosure. It is commonly needed where a document contains another person’s personal data, confidential internal comments, or information that should not be shared in full.

In practice, redaction should be done carefully and checked before release. A black box on a document is not enough if the underlying text can still be copied or recovered. Use a method that genuinely removes the information from the version you send.

For SMEs, the main risk is not the concept of redaction itself, but doing it inconsistently. If one team member redacts heavily and another discloses too much, the business ends up with uneven responses. A short internal checklist can help keep decisions more consistent.

Manage deadlines, extensions, and communication

How to keep the request moving

DSARs should be managed as a working task with a deadline, not as an open-ended query. Once the request is logged, assign actions quickly. Who is searching? Who is reviewing? Who is deciding what to redact? Who is sending the final response?

Break the work into stages. First, confirm the request and identify the scope. Second, gather the likely sources. Third, review the material. Fourth, redact where needed. Fifth, prepare the response and send it securely. This simple structure helps avoid last-minute pressure.

If the request is broad, ask the requester for clarification where appropriate. You should not use clarification as a delay tactic, but a sensible question can narrow the search and make the response more useful.

What to tell the requester if more time is needed

Sometimes a request will take longer because the volume of material is high, the data sits across several systems, or the review involves sensitive third-party information. If more time is needed, communicate that early and clearly.

Keep the message factual. Explain that the request is being processed, that the business is still searching and reviewing the relevant data, and that you will provide the response as soon as possible. Avoid over-explaining or sounding defensive.

Good communication does not remove the need to complete the work, but it does reduce confusion and shows the business is taking the request seriously. For SMEs, that can make a difficult request much easier to manage.

Reduce risk with better records and staff awareness

Practical documentation that helps future requests

Good records make DSARs easier. Keep a short record of the request, the search terms used, the systems checked, the people involved, the redactions made, and the date the response was sent. If you rely on third parties, note that too.

You do not need a heavy governance framework to do this well. A few practical templates are usually enough: a request log, a search checklist, a redaction checklist, and a response template. These documents help the business respond in a repeatable way, even if the original owner is away.

Documentation also helps when a request is unusual. If the requester asks for a large amount of material, or if the business needs to explain why certain information was withheld, clear notes make the decision easier to justify internally.

Training frontline staff to recognise a DSAR

Many DSAR problems start at the front line. A customer service agent, receptionist, account manager, or line manager may receive the request first and not realise what it is. That can lead to delay or an incomplete response.

Staff do not need to become data protection specialists. They just need to know the signs. If someone asks for a copy of their personal data, wants to see emails or notes about them, or makes a broad request about information held by the business, it should be escalated quickly.

A short awareness session and a simple internal route for escalation are often enough. Make it easy for staff to know who to contact and what to do next. That small step can prevent a lot of avoidable confusion.

Build a repeatable approach for the long term

Templates, checklists, and ownership

The most effective DSAR processes are usually the simplest ones. A named owner, a request log, a search checklist, and a review step are often enough for a small business to work in a controlled and consistent way.

Templates reduce variation. They also make it easier to train new staff and to keep the process going when the business is busy. If you already have incident, HR, or complaint handling templates, some of the same discipline can be applied here.

Where possible, keep the process proportionate to the size of the business. A five-person company does not need the same machinery as a large enterprise, but it does need clarity, consistency, and a secure way to handle the information it finds.

When to review the process after a difficult request

Every difficult DSAR is an opportunity to improve. If a request took too long, if searches missed a system, or if redaction was more complex than expected, review what happened and update the process.

That review does not need to be formal. A short after-action note is often enough. Ask what slowed the response, whether the search scope was clear, whether staff knew their role, and whether the templates need updating.

Over time, this creates a more resilient process with less rework. For SMEs, that is usually the right balance: enough structure to be reliable, without creating unnecessary administration.

Handled properly, handling data subject access requests effectively is less about legal theory and more about disciplined operations. If your business wants help building a practical process, reviewing search and redaction steps, or aligning DSAR handling with wider information security controls, a consultant can help you shape something proportionate to your size and risk.

Speak to a consultant if you would like support with a practical, business-focused approach.

Frequently asked questions

What should an SME do first when it receives a data subject access request?

Log the request, confirm receipt, and identify who owns the response. Then work out which systems and teams are most likely to hold the requester’s personal data. A quick, structured start is usually better than trying to answer immediately.

How can a business respond to a DSAR without exposing other people’s personal data?

Review the material before disclosure and redact information about other individuals where needed. Only share what is relevant to the requester’s own personal data, and keep a record of what was withheld and why.