July 30, 2025
Data Subject Access Requests, or DSARs, are one of the most underestimated risks businesses face today. They often begin quietly, with a polite enquiry or a brief email. But when mishandled, they can quickly escalate into formal complaints, regulatory action, reputational damage or even unwanted media attention.
If handled well, a DSAR demonstrates your commitment to transparency and compliance. If handled poorly, it reveals organisational weakness and invites scrutiny.
Under the UK GDPR, individuals have the right to ask what personal data your organisation holds on them. This is known as a Data Subject Access Request. The request can include emails, attachments, call notes, archived material, and even deleted content in some situations.
The response must be issued within one calendar month. It needs to be thorough, clearly formatted and lawful. There is very little room for error.
DSARs come from many sources: a departing employee, a frustrated customer, or a data-savvy campaigner. Sometimes, they are routine, and other times, they are strategic. Either way, your business is responsible for the response.
It is easy to assume this is a legal matter, and many businesses do. The first step is often to contact a law firm. That is a sensible move, and legal advice is vital to ensure the correct use of exemptions and to understand risk.
However, when engaging legal support for a DSAR, lawyers will often provide advice but not always perform the practical redactions themselves. That responsibility would sit squarely with your business.
It is your data, systems and email archive. You are the data controller, which therefore means you own the risk, both from a reputational and regulatory perspective.
Matt Bruce, Managing Director at Bruce & Butler, works directly with businesses to deliver safe, accurate, and defensible DSAR responses. His team handles the operational heavy lifting, turning legal guidance into a compliant response pack that withstands scrutiny.
“We often get called in when a business realises a DSAR is bigger than expected,” Matt explains. “They know what they are supposed to do, but they do not have the time, tools or capacity to do it properly. That is where we step in. We help protect reputation and give the business confidence under pressure.”
Bruce & Butler is the practical partner, quietly handling the details so internal teams can focus on their day jobs. Their approach is steady, structured and experienced.
“Handled correctly, a DSAR is just part of doing business responsibly,” Matt adds. “Handled poorly, it becomes a story about whether your organisation is careless, slow or disorganised. That is not a story any leadership team wants told.”
A great deal, and often very quietly.
Each of these missteps can result in an ICO complaint. If the person submitting the DSAR is frustrated, they may share their experience publicly. That can mean internal pressure, reputational damage or regulatory escalation.
DSARs are not admin. They are not paperwork. They are a public measure of how your business treats data subjects, including your staff and customers.
They are a reputational test for managing partners, compliance leads, and senior executives. A weak response raises bigger questions. Are your records properly maintained? Is your governance sound? Do you take data rights seriously?
A well-handled DSAR shows competence and care. A poor one can undermine trust across your organisation and beyond it.
DSARs need more than good intentions. They require a repeatable, defensible process.
Bruce & Butler support clients by:
“It is not just about this one request,” says Matt. “It is about building internal confidence so that the business is ready next time. That is what our clients want. Peace of mind and a clear plan.”
Many businesses underestimate the complexity and risk of DSARs until it is too late. Although the request may appear routine, it carries legal responsibility, operational pressure, and reputational risk. If your business relies on manual effort, guesswork, or outdated processes, it is exposed.
The law firm can advise. Bruce & Butler delivers.
We are here to help you confidently manage DSARs and protect your business in the process.
Contact our team today for discreet, expert DSAR response support, or visit our data protection page to learn more about our data protection and compliance services.