Dina Khemlani Hetherington: A DSAR Just Landed in Your Inbox. Now What?

Data subject access requests have moved from a niche compliance concern to a routine inbox event for many UK‑based founders. The UK GDPR, reinforced by the Data Protection Act 2018, grants any individual the right to obtain a copy of the personal data a company holds about them. While the law applies to large enterprises, small and medium‑sized businesses often overlook the requirement, assuming their modest data volumes exempt them. In reality, the moment a request lands—whether phrased as “What data do you have on me?” or a formal DSAR— the statutory clock starts, and failure to respond within one month can trigger enforcement action and fines up to £17.5 million or 4 % of global turnover.

For SMEs, the practical challenge lies in locating scattered data across cloud services, email archives, and legacy systems. The first step is to confirm the requester's identity to avoid unauthorized disclosures. Next, businesses should inventory all repositories—CRM platforms, payroll software, marketing tools—and extract relevant records, ensuring they include metadata and any processed analytics. The response must be concise, delivered electronically, and formatted for easy readability, often as a CSV or PDF. Keeping a detailed log of the request, actions taken, and communications not only satisfies regulatory expectations but also creates a defensible audit trail should regulators investigate.

Strategically, handling DSARs well can become a competitive advantage. Transparent data practices reinforce customer trust and differentiate compliant firms in a privacy‑conscious market. Many vendors now offer DSAR automation tools that map data flows, streamline identity verification, and generate compliant responses at scale. Investing in such solutions not only mitigates risk but also positions SMEs to meet future data‑rights legislation, such as the upcoming UK Data Protection Bill, without disrupting operations. Proactive compliance, therefore, is both a legal safeguard and a growth catalyst for forward‑looking businesses.