Responding to a DSAR: Lessons for Employers

In May 2025, the Information Commissioner’s Office (ICO) issued a formal reprimand to Greater Manchester Police (GMP) for repeated failures to comply with data protection obligations under the UK GDPR and the Data Protection Act 2018. Much of the cause of concern from the ICO’s perspective related to data subject access requests (DSARs) not being responded to within the required deadline. 

The reprimand offers a reminder to employers of the importance of having robust processes in place for handling SARs. In many cases, DSARs are raised by employees in the context of a broader employment dispute and so handling DSARs appropriately is also important to help manage and mitigate the associated litigation risks. 

What happened?

Data protection laws require organisations to respond to DSARs within one month (this deadline can be extended by a further two months in certain circumstances). GMP consistently failed to meet these deadlines between October 2022 and September 2024, with some responses to requests delayed by nearly three years.

GMP explained the delays were a result of a surge in DSARs involving complex digital materials (e.g. body-worn video, CCTV), as well as resourcing constraints exacerbated by the COVID-19 pandemic.

At its peak, GMP had over 1,200 overdue DSARs, with one SAR 1047 days old. However, GMP reported that by September 2024, it had implemented a number of measures which reduced overdue DSARs to just 39 and that they had achieved a 97% compliance rate.

GMP was able to achieve this significant turnaround by making proactive efforts to remedy the backlog through implementing a dedicated DSAR recovery action plan, improving resourcing and reviewing their processes and procedures.  

In recognition of these efforts, GMP avoided more severe sanctions such as fines and penalties and instead the ICO issued a reprimand to GMP together with non-binding recommendations to assist GMP with rectifying its processes to ensure compliance moving forwards. 

Practical takeaways for employers

This situation for GMP is reasonably unique to their circumstances and the huge volume of DSARs they receive on a monthly basis. However, there are lessons to be learnt from this example, particularly as GMP was able to make such significant improvements which meant they avoided potentially more severe sanctions from the ICO. 

Below are five key takeaways for employers:

• Compliance with DSARs is a legal obligation. Delays, even those caused by legitimate reasons, can lead to scrutiny from the ICO. Employers must treat DSARs as a core compliance function with processes and procedures in place to ensure timely compliance rather than a ‘back office’, administrative task. It is therefore important to have someone within your organisation who is ultimately responsible for DSAR compliance to avoid teams sitting on requests before they are passed on to be dealt with. 
   
• Plan ahead. The number of DSARs being raised is increasing, in particular we have seen a growing trend of these requests being raised not only from current but also former employees. To avoid overwhelm, put in place measures to make responding to DSARs as manageable and efficient as possible, for example establish a DSAR reporting process so that the appropriate team is notified promptly once a DSAR has been received. In responding to a DSAR, your legal obligation is to undertake a ‘reasonable and proportionate’ search. This means, in some circumstances, you will be able to clarify the scope of the request and reach a determination as to what would be a reasonable and proportionate search in the circumstances. In addition, use technology to help process requests more efficiently, e.g. using tools that help with redactions and processing documents. 
   
• Resourcing is key. Insufficient resource will not be accepted by the ICO as a defence to non-or slow compliance so make sure you have a team that has the capacity to deal with the requests and that your teams are adequately supported.
   
• Remediation matters. If you are aware of shortcomings in your DSARs procedures, are there steps you can take proactively to mitigate these? The fact that GMP had recognised their shortcomings and had proactively implemented changes to address these were factors taken into account by the ICO.
   
• Review your DSAR process regularly. Conduct internal audits of your process, assess the extent to which you can make improvements and ensure your data protection policies are up-to-date and accurately reflect your practices.

DSARs raised by employees are on the increase so taking the time to ensure your process for dealing with them is working effectively is time well-spent. 

We advise clients on helping them efficiently and effectively manage DSARs from the workforce and mitigate the risks in the context of any broader employment dispute. If you would like to discuss managing your DSARs, please contact me.