Skip to main content

A Guide to Data Subject Access Requests (DSAR) for Law Firms

14 November 2023
A female businesswoman pointing at a screen next to two coworkers.

In the information age, the importance of safeguarding personal data and ensuring transparency in data processing has never been more critical. For law firms operating within the United Kingdom, appropriate handling of Data Subject Access Requests (DSARs) has become an integral part of their legal responsibilities. DSARs provide individuals with the right to access their personal data held by organisations, and failing to handle them correctly can result in substantial fines, penalties from the SRA and the ICO, and reputational damage.

Whilst the Information Commissioner's Office (ICO) doesn’t hold any UK wide statistics on how many DSARs have been requested each year, our research has uncovered that there has been a steady increase in submissions as awareness of DSARs has increased. For example, in 2016/7 the ICO alone received 753 DSARs. In 2018/9 this rose dramatically by 45% in just two years to 1,096. Data from their latest annual report shows there were 2,355 DSAR requests made from the ICO alone; that’s a staggering leap of 212% since 2017. Anecdotal data indicates that the same is true across other industries including the legal sector.

It's clear that UK law firms need to be well-versed in handling DSARs to protect their clients, their staff and suppliers, maintain their reputation, safeguard from regulatory action, and avoid potentially devastating financial penalties. In this guide, we will explore the DSAR process, compliance requirements, and practical tips to help law firms navigate this essential aspect of data protection and privacy law.

What is a Data Subject Access Request (DSAR)?

As set out in Article 15 of the GDPR, a Data Subject Access Request (DSAR) is a formal request made by an individual, known as the "data subject," to a law firm or any organisation that processes their personal data. The purpose of a DSAR is to allow the data subject to obtain a copy of personal data that an organisation holds about them. In the case of law firms, this may include client records, case files, correspondence, staff records (including past employees and unsuccessful applicants), suppliers, experts, counsel, or any other information that pertains to the individual.

How to identify when you have received a DSAR

Frustratingly, whilst a DSAR is a formal request, it doesn’t have to be submitted using a formal method. DSARs can be made verbally or in writing, and there is no specific wording or forms which need to be utilised. It can even be requested by social media.

A seemingly innocuous question from an individual over the telephone, “What data do you have on me?” could in fact, be a DSAR.

This means that without thorough DSAR training, it can be easy for businesses to miss a formal request and many do! The penalties can be severe and reprimands made public.

The ICO states that a DSAR is considered valid if “... it is clear that the individual is asking for their own personal data.

Individuals can also ask a third party, such as a relative, friend or solicitor, to submit a subject access request on their behalf, but in these instances it is the responsibility of the third party to provide evidence of their authority such as Power of Attorney.

Children over 12 years old can also submit their own Data Subject Access Request so these requests from children should not be ignored.

What steps do you need to take once you’ve received a DSAR?

It is important that your GDPR controls include a defined procedure for receiving, recording, and actioning DSAR requests in a timely manner. The clock starts when the user submits their request, not when you have received or seen it. Therefore it is important they are afforded the appropriate attention to enable their accurate completion within the time allowed.

A typical DSAR process often looks something like this:

  1. A DSAR request is identified and logged.
    Tip: It can be a good idea at this point to set a reminder for a week before the deadline as a safeguard. Law firms are busy environments so it would be easy for a single DSAR to slip through the net; especially if it’s not from a persont who is at the forefront of your mind at the time.
  2. Confirm receipt of their request.
  3. Verify the requestor's identity. Just because you have received a request, it doesn’t mean you should blindly action it. You have a continued responsibility to protect that data subject’s information and therefore, it is reasonable and expected that you will verify the user requesting information is authorised to do so. How you achieve this will depend on the method of the request, the nature of the information being requested, and a number of other factors. Often steps 2 and 3 can be combined. This is one of the areas we can help your team better understand via our GDPR training.
  4. Review, evaluate and action the request. It is important to ensure you clearly understand what the user is requesting. You don’t want to expose unnecessary data, even to the data subject themselves, if it’s not relevant to their specific request. Doing so could demonstrate you have a poor data handling process and further exacerbate the situation. If having reviewed the request you feel you need more time then this can be requested under certain circumstances. There may be some instances where you can legitimately decline a DSAR request such as when it is manifestly unfounded or excessive.
  5. Keep records throughout the process. As you have a legal responsibility to process DSARs, you are permitted to keep records in relation to DSARs, including instances where a user has requested deletion of data relating to themselves, as ultimately you need a record to evidence you have complied with their requests. Certain accreditations, such as Lexcel, also require you to have adequate data protection controls in place so accurate record-keeping regarding open and resolved DSARs aligns with that requirement.

How long do you have to respond to a DSAR?

According to the ICO:

You should respond [to a DSAR] without delay and within one month of receipt of the request”

However, in some circumstances, an organisation may require longer to process the request. If the DSAR is complex or multiple requests are received from the same individual, the organisation is allowed to extend this time limit by a further two months. In this case, they must clearly outline and explain why the extension is needed and inform the recipient about the extension within one month of the submission of the DSAR.

What information can an individual request within the scope of a DSAR?

In a DSAR, an individual is entitled to:

  • Confirmation that the organisation is processing their personal data
  • A copy of their personal data
  • Other supplementary information

They can request all of the personal data that the organisation has on them, or a specific piece of information.

The personal data stored by organisations could include:

  • Client records
  • Copies of any correspondence
  • Copies of any contracts they have signed
  • Text messages
  • Emails
  • Enquiries and prospect information
  • Marketing lists
  • Employment contracts
  • Staff disciplinary records
  • Payroll information
  • Records of experts and counsel

They are only entitled to their own personal data, not the personal data of another individual.

What information is considered outside the scope of a DSAR?

As well as other people’s personal data, there is a range of information that individuals cannot receive in response to a DSAR. These exemptions include data on:

The legal professional privilege exemption is of particular interest for law firms as it states that:

Personal data is exempt from the right of access if it consists of information:

  • to which a claim to legal professional privilege (or confidentiality of communications in Scotland) could be maintained in legal proceedings; or
  • in respect of which a professional legal adviser owes a duty of confidentiality to his client.

This exemption covers the two branches of legal professional privilege: litigation privilege and legal advice privilege. The English law concept of legal professional privilege encompasses both ‘litigation’ privilege and ‘legal advice’ privilege. In broad terms, the former applies to confidential communications between a client, professional legal adviser or a third party, but only where litigation is contemplated or in progress. The latter applies only to confidential communications between a client and professional legal adviser for the purpose of seeking or obtaining legal advice.” [continues]

For more information about how these exemptions work in practice and further exemptions, read the ICO’s detailed guidance.

What information should a response to a DSAR contain?

In response to a DSAR, as well as a copy of the requested personal data (or all of the personal data held on the individual), firms should also provide a range of information about how their data was/is used. This includes:

  • Why the data was collected
  • How the data was processed
  • Who their personal data has been shared with
  • How long the data has been held
  • How much longer the organisation intends to keep the data
  • If the data was used to make an automated decision about the individual
  • If the data has been used to create some sort of profile about the individual

What information should a response to a DSAR not contain?

Legal documents and case matter often include personal data relating to other individuals. Whilst some of this information might already be known to the individual submitting the DSAR, that information still must be redacted as part of the DSAR request as the DSAR can only provide information relating to the individual concerned.

Where PDA has supported law firms with DSARs, the number of documents, emails, letters, text messages and other sources of filed information can run into thousands. Even though the requestor might already know the persons or email address details on a group of emails, or even be related to them, the requestor is not entitled to receive copies of those other individuals' personal data. Therefore, a process of redaction often needs to take place. Where there are hundreds of documents to be redacted, this can take many hours to conduct.

What happens if you fail to action a DSAR or respond to it within the required timeframe?

If an organisation doesn’t respond to a DSAR within the required timeframe, the requester may report this to the ICO. In some cases, particularly if they have received a number of complaints against the same organisation, the ICO may take action.

This action could take the form of a:

  • Warning
  • Reprimand
  • Enforcement Notice
  • Penalty Notice

Furthermore, the requester may apply for a court order requiring the organisation to comply with the request or seek compensation if they feel they have suffered damage or distress because their data protection rights have been infringed.

Whether seeking a court order or compensation, it is up to the court to decide the outcome for each particular case. However, the individual may seek to settle the claim with the organisation before starting court proceedings.

The organisation will not be liable to pay compensation if they can prove that they are not responsible in any way for the event that led to the damage or distress.

How much should a Data Subject Access Request cost?

In the majority of cases, organisations are not allowed to charge a fee when delivering the data requested in a DSAR. After all, it’s the individual’s own information.

However, organisations can charge a ‘reasonable fee’ for the administrative costs involved if the request is unfounded or excessive, or if the individual requests further copies of the same information. This does not mean an organisation can charge for future requests from the same individual for different information.

The importance of DSAR training for law firms

The above covers just the tip of the iceberg. Full compliance for law firms requires a greater and more in-depth comprehension of your obligations than we can provide via this article alone. Therefore, why not contact us today for a free, no obligation consultation to discuss our GDPR and DSAR training services?

We have spoken at Law Society national conferences and webinars on data protections, and we have over 25 years of experience and have supported over 500 law firms within the UK legal sector, so you can rest assured you are in safe hands.

Get in touch for a free no obligation quote today
Law Society Lexcel Assessor. Legal Practice Quality Mark.
Cyber Essentials  logo
Information Commissioner's Office logo
ISO logo
Legal Aid Agency logo
Solicitors Regulation Authority