Get in Touch Menu

ICO’s new guidance on responding to data subject access requests

27 July 2023

On 24 May, the ICO published its updated guidance for businesses and employers on responding to data subject access requests (commonly referred to as ‘SARs’ or ‘DSARs’).

Based on the right of access outlined in the UK GDPR, data subjects have the right to request a copy of their personal information from organisations.

Over the last couple of years we’ve witnessed an increase in the number of DSARs submitted by current or former employees, with many of them being made as the employment relationship gets litigious.

The ICO said they have received over 15,000 complaints related to DSARs in the last 12 months. Although not all of them were employment-related, the ICO believes that some employers misunderstand the nature of DSARs and underestimate the importance of a proper response to them.

They have now, therefore, issued updated guidance that should assist businesses and employers to ‘not get caught out’.

The new guidance clarifies certain points, such as that there are no formal requirements when making a DSAR and that workers can submit one verbally or even via social media. It also comments on the position of DSARs made in the context of grievances or put forward during the without-prejudice negotiations. A helpful Q&A is also included.

If you have any questions, please get in touch. Our specialist GDPR and data protection solicitors will make the effort to get to know your business, using this knowledge to create workable solutions to any kind of data protection compliance challenge you may face. Whether you’re looking for a comprehensive solution, training or help with certain aspects of data protection law, please contact our dedicated team.

Contact us

Willans Data Protection Services provides organisations operating on a multi-national basis with UK and Article 27 Representative solutions, Data Protection Officer services and GDPR training solutions. 

Disclaimer: All legal information is correct at the time of publication but please be aware that laws may change over time. This article contains general legal information but should not be relied upon as legal advice. Please seek professional legal advice about your specific situation - contact us; we’d be delighted to help.
Klára Grmelová MGR (LLM Czech)
View profile
Related services
Share this article
Resources to help

Related articles

New UK data protection regime – what to expect

GDPR & data protection

Less paperwork for organisations, fewer data collection pop-ups for the wider public, and more than £4 billion saved over next 10 years – these are just a few outcomes that…

Matthew Clayton MA LLM (Cantab), CIPP/E

SCCs: New rules governing cross-border data transfers and data exchanges from the EU and EEA

GDPR & data protection

This September brings change to the use of standard contractual clauses (SCCs) governing data transfers from the EU and EEA. In June this year, the European Commission published two sets…

Kym Fletcher LLB (Hons) Euro
Consultant, solicitor

Your business post-Brexit: What has changed & what should you do now?


On Christmas Eve, the nation was informed that the UK and EU had struck a Brexit deal. The transition period is now over, and a clearer picture of the future…

Helen Howes LLM
Associate, solicitor
Contact us