0105_Data Subject Access Requests (DSARs)

5. Data Subject Access Requests (DSARs)

1. Service Description

ACTINUM Limited provides independent support for managing and responding to Data Subject Access Requests (DSARs) for UK organisations.

This service helps organisations respond to DSARs accurately, on time, and in line with UK GDPR requirements. We support defensible decision‑making on scope, searches, exemptions, extensions, and disclosure, reducing regulatory risk and operational disruption.

DSAR handling is a core legal obligation under UK GDPR.

Assumption challenged: Many SMEs believe DSARs are rare or informal. In practice, DSARs are increasingly used in employment disputes, complaints, and litigation.

2. What This Service Delivers

This service delivers timely responses, defensible decisions, and reduced disruption.

It provides:

  • Clear validation of whether a request is a DSAR
  • Correct application of statutory deadlines and extensions
  • Proportionate and defensible search strategies
  • Reduced risk of over‑disclosure or missed data
  • Lower likelihood of ICO complaints or enforcement

Most DSAR risk arises from poor scoping and uncontrolled searches.

3. How ACTINUM Limited Helps

ACTINUM Limited supports organisations by:

  • Validating and scoping DSARs at the outset
  • Advising on one‑month deadlines and lawful extensions
  • Defining proportionate data search strategies
  • Advising on exemptions and restrictions
  • Supporting redaction and third‑party data handling
  • Reviewing draft DSAR responses before issue
  • Supporting complex, repeat, or contentious requests
  • Improving DSAR processes to reduce future impact

DSAR decisions must be documented and defensible.

4. Who This Service Is For

This service is particularly relevant for:

  • UK SMEs without dedicated data protection teams
  • Employers handling staff or ex‑employee requests
  • Organisations holding data across multiple systems
  • Businesses experiencing increasing DSAR volumes
  • Regulated organisations under higher scrutiny
  • Senior leaders accountable for compliance risk
  • Boards seeking assurance over rights handling

UK GDPR DSAR obligations apply regardless of organisation size.

5. Common Triggers for This Service

Organisations typically require this service when they are:

  • Unsure whether a request is a valid DSAR
  • Struggling to meet statutory response deadlines
  • Receiving broad or repeated requests
  • Handling DSARs linked to grievances or disputes
  • Unsure which exemptions apply
  • Managing DSARs following a data breach
  • Facing ICO complaints or escalation

DSARs frequently surface wider governance and documentation gaps.

6. Outcomes For Your Organisation

This service enables:

  • On‑time and compliant DSAR responses
  • Reduced operational burden on staff
  • Defensible decisions on scope and disclosure
  • Lower likelihood of complaints or enforcement
  • Improved confidence for senior leadership and boards
  • Stronger overall accountability

Well‑handled DSARs reduce regulatory and litigation risk.

7. Our Independence Matters

Independent & Business Aligned Advice

ACTINUM Limited provides independent, non-product led business advice, and hands-on pragmatic support.

We do not focus on selling software, platforms, or technology solutions. This allows us to act as a trusted, objective challenge to vendor claims, internal assumptions, and assurance statements and programme decisions.

8. Common Questions

What is a Data Subject Access Request?

A DSAR is a request by an individual to access personal data held about them by an organisation under UK GDPR.

How long do we have to respond to a DSAR?

In most cases, organisations must respond within one month. Extensions are permitted only in limited circumstances.

Do SMEs have to comply with DSARs?

Yes. UK GDPR applies to organisations of all sizes.

Can we refuse a DSAR?

In limited circumstances, such as where exemptions apply or requests are manifestly unfounded or excessive, but decisions must be justified and documented.

Can ACTINUM Limited review a DSAR response before we send it?

Yes. We regularly review draft responses to reduce risk and improve defensibility.

9. Service Snapshot

Service: Data Subject Access Requests (DSARs)
Focus: Timely, accurate, defensible DSAR responses
Best For: SMEs, employers, regulated organisations
Regulation: UK GDPR Articles 12 to 15, ICO guidance
Delivery: Independent, practical, proportionate

10. How This Service Cross‑links to Other Services

This service directly supports and is supported by:

  • Data Protection Training & Awareness
  • Data Breach & Incident Management
  • UK GDPR Documentation requirements (Art‑30)
  • GDPR Governance requirements and expectations
  • AI Governance & Assurance Support
  • Internal and External Audits and Controls

DSAR handling connects individual rights, governance, and accountability.