Data Subject Access Requests- Tips to beat the clock!

Data Subject Access Requests- Tips to beat the clock!

(Read time: 2 mins)

The GDPR was introduced in May last year and it wasn’t quite the colossal upheaval everyone expected. Business ticked on as normal and the majority of businesses heard nothing further about it.

However, one result of the GDPR is that the number of Data Subject Access Requests (DSARs) has increased significantly. This, coupled with the reduction in time to respond to a request (which has been squeezed from 40 days down to 30), means it’s now more important than ever to have a procedure for dealing with DSARs which is fit for purpose.

We’ve set out below some “top tips” for employers receiving a request to help them ensure that they’re able to meet the new deadline.

Tips & Advice

Ensure you’re able to respond within one month

A procedure must be in place which clearly sets out the steps to be taken, and also an assignment of responsibility for each step, so that all parties involved know what they need to be doing and when. By clearly outlining the process you will avoid the inevitable “waiting around” when multiple departments are involved.

Put on extra staff training

Since the DSAR could be received by anyone working for the business, all staff must be trained to recognise a DSAR so that it can be forwarded immediately to the team who will respond to it. The quicker it is received by this team, the more time they will have to respond and the more accurate the response will be.

Narrow the scope of your requests

If you consider that the request is too broad or too unclear to respond to, you should ask for clarification straight away. Not only will this avoid a waste of time in collecting unnecessary information, but also the clock on your 30 days will not start until all the required information has been received. So it is far better to be clear before you begin gathering the data.

Consider investing in technology

To respond to a request you need to identify all personal data held about that person. Having an organised data storage system (and a simple, easy to use search function) can make a huge difference to the length of time taken to respond to a request.

Allow extra time for redactions

A point that is often forgotten when responding to a DSAR is redaction. Redaction involves checking through all the personal data and covering/removing privileged material or personal data belonging to others before the data is sent. This can be an incredibly time-consuming job and not one to be underestimated.


If you’re a recruitment agency dealing with a DSAR you’ll likely be looking for a way to streamline this process. By engaging with an umbrella company such as Plus which combines GDPR-technology with human interaction, responding to a DSAR has never been easier. You can log in to your portal, download the information you need, and return it alongside with the rest of the data you hold. Simple!


To find out more about Plus Payroll Services, you can visit our website which is or you can call us on 03333 110 222 to speak to one of our helpful customer service agents.


*This document is not a substitute for specific legal, accounting or other professional advice or opinions on related matters and issues that arise and should not be taken as providing specific advice on any of the topics discussed.

The information contained herein has been prepared by using sources believed to be reliable. Whilst reasonable care has been taken to ensure that the facts stated herein are accurate, no representation or warranty, express or implied is made by Plus Payroll Services Limited, with respect to completeness, correctness, reasonableness or accuracy of any information and opinions contained herein.

Without limiting the generality of the foregoing, liability for any negligent or innocent statement or misstatement in respect of the contents of, or any omission from this document are hereby expressly excluded. Plus Payroll Services Limited has no obligation or liability whatsoever with respect to the information provided or any action or inaction of Plus Payroll Services Limited or the recipient with respect to such information.