top of page

GDPR and DSARs - How Can Businesses Ensure Compliance?

Updated: Jun 26, 2020

It seems like a long time since GDPR came into effect (25th May 2018), given that it’s been over a year I started to wonder how businesses have coped specifically in regard to DSAR? Have they been swamped with Data Subject Action Requests and managed to follow procedure? If so, what is the nature of those requests, who would ask for one and why?

We assume that most companies will have drafted and carefully filed a GDPR policy but how are they managing the implementation of DSARs?

During my investigations online I came across the results of a survey by law firm Squire Patton Boggs, who conducted research amongst 90 businesses to investigate the current situation regarding DSARs The findings within this research forms the basis of this blog.

Why instigate a DSAR?

There are many reasons why an individual might instigate a DSAR but Squire Patton Boggs found that the most common requests seem to be coming from employees who might be facing a disciplinary, or who may be under a performance management review. 65.5% (59/90) of respondents noted they had dealt with DSARs that were connected to a workplace issue e.g. grievance, redundancy, performance management. Indeed, a DSAR might be used to put pressure on the employer to try to expedite the process and reach a fast settlement.

Their findings show:

· 71% (64/90) of all organisations surveyed had experienced an increase in the number of employee DSARs since May 2018

· Of the 64 organisations that had seen an increase in DSARs 67% had experienced an increase in costs associated with the process of responding to DSARs

Also, of those 64 organisations:

· 83% have put in place new guidelines and procedures

· 27% have acquired new personnel to deal with this growing trend

· 20% have adopted new software/technology

How does a DSAR disrupt business?

Every DSAR request will require ‘man hours’ to process, including; correspondence to the individual, arranging the data platform, IT searches through the data held, review of potentially thousands of documents across multiple systems and in multiple formats, redaction or exclusion of privileged information, and then compiling information for return to the individual with a covering letter.

[Full guidelines from the ICO can be found here: and]

In conclusion, most organisations have ensured GDPR compliance by putting in place policy/guidelines and outlining procedures. With regard to processing DSAR’s, it’s difficult to predict how frequently or in what volume they are likely to occur, for instance media reporting can instigate short term peaks in demand, which makes them hard for businesses to plan for and to resource. But it is abundantly clear that DSARs must be processed consistently, to ICO guidelines and within strict time frames.

For large companies with high volumes of employees and potentially a high turnover of workforce, that have teams of people exclusively processing DSARs - automating the process would save in time, cost and ensure consistency in meeting with ICO regulations.

SmartFlow is an Intelligent Automation platform that can be set up to manage DSAR requests at the instigation of a human worker as and when they arrive. It would search through all documents relating to an individual and provide a report of all findings, pull together all relevant documents for printing, and ensure consistency and full ICO compliance every time, far faster than any human. What's your industry?

Finance / Public Sector / Business Process Outsourcing / Legal / Telecoms / Insurance / Retail

Recent Posts

See All
bottom of page