DSAR – what is it?
A Data Subject Access Request (DSAR) is a legal right under UK GDPR that allows an individual to ask your organisation what personal data you hold about them and to request a copy of that information.
Importantly, anyone can make a DSAR. This includes customers, employees, former employees, suppliers, contractors, and even job applicants.
Furthermore, a request doesn’t need to mention “GDPR” or “DSAR” to be valid. For example, if someone asks, “Can you tell me what information you have about me?” by email, phone, social media, or in conversation, they have effectively submitted a DSAR.
Once you receive a request, you will typically have one calendar month to respond. However, if you need to verify the requester’s identity or ask them to clarify their request, the clock can pause. It then resumes once you receive the information required to continue.
Whats involved in responding?
Responding to a DSAR isn’t a quick email reply — it’s a structured, auditable process:
- Recognise the request — It can arrive through any channel. Train your team to spot them.
- Verify identity — Confirm the requester is who they claim to be, without collecting more personal data than necessary.
- Scope and clarify — You’re entitled to ask the requester to narrow the scope (e.g., specific date ranges, systems, or types of data). The clock pauses while you wait for clarification under the new stop-the-clock rules.
- Search across all systems — Personal data lives everywhere: email, HR systems, CRM, SharePoint, OneDrive, Teams chats, file shares, even CCTV. You need a “whole business” search strategy.
- Review and redact — Third-party personal data must be redacted before disclosure. Over-redaction triggers complaints; under-redaction risks a breach.
- Apply exemptions — Certain data may be exempt (e.g., legal privilege, management planning, confidential references). Apply exemptions consistently and document your reasoning.
- Deliver securely — Provide the data in an accessible, concise, and intelligible format, delivered securely.
- Maintain an audit trail — Document every decision. If the ICO comes knocking, your defensibility depends on it.
Where Microsoft Purview Fits In
For organisations using Microsoft 365, a significant proportion of the data covered by a DSAR is likely to reside within the Microsoft cloud. This may include:
- Emails in Exchange Online
- Teams chats and channel conversations
- OneDrive files
- SharePoint documents
- Calendar entries
- Attachments and other collaboration data
How can Highstream help?
Preparation is the key to ensuring DSAR requests are handled quickly and efficiently. We can help you with:
- Data mapping: organise and manage where different types of data sit in your storage areas so access is simple and effective.
- Purview configuration: set up audit logs and data classification
- Access control: permission lists and retention labels
- Processes: create and follow a standard repeatable process to improve efficiency
- Discovery and export: applying scopes and filtering and producing quality reports
- Technical guidance & licensing: advice on set up and configuration
- Security policies: to reduce the amount of data held and who can access
- Training & awareness: for any staff members who obtain or access data
What now?
A DSAR doesn’t have to become a crisis. However, organisations that lack clear processes, visibility of their data, or the right tools often find these requests time-consuming and stressful.
By understanding your obligations, knowing where your data resides, and establishing a repeatable response process, you can handle requests confidently and efficiently.
The best time to prepare for a DSAR is before one arrives. With the right foundations in place, responding to a request becomes a controlled process rather than a last-minute scramble.
For more information about DSAR and how we can help prepare you, contact us.
