Data subject access requests are time-bound (within 1 month of receipt, extendable in some cases) and broadly scoped (covering all personal data relating to the individual). Most organisations have not searched their systems for personal data relating to a specific person before, and a first DSAR is often a stress test of how data is held across email, CRM, file storage, and individual devices.

How to handle a DSAR properly

The support is structured: scoping the request properly (narrowing where appropriate, but not refusing valid scope); identifying where personal data is held; applying the legitimate exemptions (third-party data, legal privilege, management forecasts, and others); and producing the response in a form that complies with the GDPR's transparency obligations.

The point is not to obstruct the request but to respond to it correctly. Most DSAR complaints to the ICO arise from poor responses, not non-responses.

Under UK GDPR, you must respond within one calendar month. Getting the response wrong can lead to complaints to the ICO and regulatory action.

Example: a typical scope and fixed fee

For a single DSAR received by a UK business, the typical scope looks like this.

What's included

  • A consultation to understand the request and the personal data you hold
  • Advice on the scope of the request and how to search for relevant data
  • Identification of applicable exemptions (e.g. legal privilege, third-party data, confidential references)
  • Review of the proposed response before it is sent
  • A template response letter

What's outside this scope

  • Handling more than one DSAR at a time (I can quote for multiple requests)
  • Data subject complaints or ICO investigations
  • Redacting large volumes of documents (I can advise on approach, but the physical redaction work is your responsibility)
  • Tax advice

Fixed fee: £495, no VAT.

How I will approach your matter

Once you have instructed me, I will guide you through the entire process, scoping the request, identifying exemptions, and reviewing your proposed response before it is sent, to ensure you respond properly and within the statutory timeframe.

Common questions

What is a DSAR?

A Data Subject Access Request is a request from an individual to see the personal data you hold about them. Under UK GDPR, you must respond within one calendar month. Getting the response wrong can lead to complaints to the ICO and regulatory action.

To instruct me, or to talk through whether this is the right service for your matter, email geoffrey@caesar.co.uk. I aim to reply within 24 hours.