As the number of Data Subject Access Requests, or "DSARs", businesses in the UK receive continues to increase, new legislation has introduced some helpful certainty on how they should be handled.
DSARs, which give individuals a right under data protection laws, including the UK GDPR, to receive a copy of the personal data an organisation holds about them, can prove difficult for legal or HR teams to handle, particularly if they receive broad or vague requests, or if they hold large amounts of data about requesters.
Now, the Data (Use and Access) Act 2025, which received Royal Assent on 19th June 2025, has written into law two points of practice that seek to address these issues, and confirms the guidance that has been in place by the UK regulator, the Information Commissioner's Office, or "ICO", for some time. These points are:
- The obligation to undertake "reasonable and proportionate" searches when responding to DSARs; and
- Confirmation of the "stop the clock" procedure when seeking to clarify or validate a DSAR.
If you are used to handling DSARs, these two concepts will be familiar, but they previously existed only as guidance from the ICO, not as a statutory provision you could rely upon when communicating with requesters.
Reasonable and Proportionate
While still open to a degree of interpretation, the obligation to undertake "reasonable and proportionate" searches for personal data when responding to a DSAR is now confirmed in law.
Businesses are not expected to conduct exhaustive searches that could be unduly burdensome or disproportionate to the scope of the request. Instead, they must take a balanced approach, considering the nature of the request, the context in which the data is held, and the resources required to retrieve it.
For example, if a DSAR requests "all information" about an individual, organisations now have statutory backing to limit their searches to systems and data sources where such information is likely to be stored, rather than combing through every conceivable record. This is particularly helpful for businesses that manage large amounts of personal data.
Stopping the Clock
The "stop the clock" procedure allows organisations to pause the one-month statutory deadline for responding to a DSAR while they seek clarification or validation from the requester. This is useful when a DSAR is vague, or the identity of the requester is unclear.
For instance, if a requester fails to specify the type of data they are seeking or provides insufficient information to verify their identity, the organisation can formally request clarification or additional details. During this period, the clock on the response deadline is paused, resuming only once the requester provides the necessary information.
This confirmation of the "stop the clock" procedure ensures that organisations are not unfairly penalised for delays caused by unclear or incomplete DSARs and provides flexibility when managing complex requests.
You can read more about the Data (Use and Access) Act 2025 here. If you have any queries about handling DSARs, or data protection issues in general, please contact kyle.sinclair@addleshawgoddard.com