A recent surge in data subject access requests (DSARs) is costing businesses millions of pounds, with the  average individual case costing organisations £20,000.


DSARs allow an individual to ask an organisation to provide them with the personal information it has on its systems. The legal right to make DSARs was initially introduced by the Data Protection Act 1998. Recently we’ve seen a significant rise in DSARs in the South-East across most industry sectors, with organisations of all sizes being affected.

Many requests are being made as a fishing expedition to find out what information an employer has about the employee. However, it’s worth noting this is not restricted to employees making requests. Any individual can exercise their right to make a DSAR. So, it’s important to be aware of what it means for your organisation and what you can do to make it easier to comply with these requests.


The rise of DSARs

The Information Commissioners Office (ICO), which handles complaints about DSARs, has witnessed an alarming increase of 23% from April 2022 to March 2023, with almost 16,000 complaints relating to failings in respect of DSARs. This is compared to 13,000 for the same period the previous year. However, this is only the number that relates to the rise in complaints, so the actual number of DSARs being made will have grown significantly too.

The reasons for this increase include individuals becoming aware of their right to request DSARs through social media and news reports like the one involving Nigel Farage and NatWest. There was also the publicity around the implementation of the Data Protection Act 2018 and GDPR (General Data Protection Regulations) which drew attention to data protection rights. That legislation removed the ability for businesses to charge a fee for dealing with DSARs and reduced the deadline for responding to DSARs from 40 days to a month.

DSARs have become an increasingly common tool, used by individuals in dispute with organisations. They have almost become standard when employees are in dispute with their employer and are looking for a ‘smoking gun’ that they can use in negotiations or in an Employment Tribunal, should it come to that.

Rising cost of DSARs

Based on the ICO figures and with the average cost being £20,000, DSARs are costing organisations at least £320m a year. We think this is just the tip of the iceberg, as the ICO won’t have records for all DSARs that are made. It will only have access to complaints being made to the ICO due to alleged breaches of the legislation governing them. We anticipate the number of DSARs will continue to increase, and businesses should act now to ensure they have processes in place and train their teams to know how to handle them.

At Loch Associates Group, we’ve certainly witnessed an increase in costs relating to DSARs, due mainly to the complexity of the requests and the time required to process them. Each request involves correspondence with the individual, arranging IT searches of data held – often resulting in reviewing potentially thousands of documents, then redacting or excluding information that can be justified as exempt. Then the response to the individual has to be prepared. This process must take place within one month, although in exceptional situations it can be extended to two to three months.

Many DSARs are presented as broad requests for ‘all of [their] personal data’, which often entails a huge task because employers tend to retain more information than they need to. In addition, social media messages, WhatsApp messages and texts relating to the employee are all disclosable.

All of this can be tricky, time-consuming and costly. They also impact other data subjects, which may not be fully appreciated.

It is difficult to see a resolution to the challenges. As more DSARs are received, businesses may find it harder to respond within the one-month timeframe, and those making the requests are likely to be frustrated by any delays or perceived failures, which may lead to more complaints.


Minimising the costs and protecting your organisation

Managing the retention of data effectively is one way to minimise the cost and management time. The less documentation you have inevitably means there is less to review. It also means you comply with data protection legislation because you are only supposed to retain relevant information. However, you do not want to lose critical documentation so it’s important to have a retention policy in place that does not leave the organisation exposed. Getting expert advice on that is important as it’s not a one-size-fits-all answer.

It’s possible to anticipate the likelihood of DSARs, to have a response process in place, and to manage the risks. In particular, organisations should be doing data protection audits to reduce the amount of information they retain and comply with data protection legislation. There are cost savings here too as it costs money to store information.

We know how challenging all of this can be for organisations and that’s why we have been helping our clients with our data protection audits, training and DSAR services so that they can outsource the challenges of dealing with a DSAR, reduce the costs and their management time, as well as protecting their organisation.

Pam Loch, Solicitor and Managing Director of Loch Associates Group


Related Posts

116 Motoring: Alpine A110S

Alpine was founded in 1955 by Jean Rédélé, a young man with a passion for motorsport whose favourite playground...

116 Travel: Morocco

On a whistle stop tour of Morocco, I touched down on the tarmac of Casablanca airport, after an efficient business class flight with...

116 The NHS is killing the country

We are very spoilt as a country to have such a splendid health care system that is free at the point of need – it is the envy...