DSARs: Implications of recent legal updates

The challenges of complying with the ever-increasing volume of data subject access requests (DSARs) was a topic for discussion at our Data Privacy Forum (DP Forum) in December. Legal developments since then have added to the understanding of the requirements in this area. These include: 

• The High Court ruling published on 27 January 2025 in a case brought by Mike Ashley regarding a DSAR he submitted to Her Majesty’s Revenue & Customs (HMRC) (Ashley Case). 
• The report by the European Data Protection Board (EDPB) published on 16 January 2025 on the outcome of the co-ordinated investigations by 30 supervisory authorities (SAs) across the European Economic Area into DSAR compliance (Investigations Report).
• The report by the EDPB’s support pool of experts programme on AI-related data rights published on 23 January 2025 (EDPB Experts Report).

So, what are the takeaways from these developments?

Importance of correctly assessing the scope of the DSAR 

At our DP Forum we discussed seeking clarification of the DSAR scope from the data subject whilst in other cases controllers will be able to limit the search scope to pinpoint the responsive data to fulfil the request.

In the Ashley case, HMRC limited its response to the personal data that was processed by a particular Directorate. However, the Court held that a DSAR, seeking “any and all data held in relation to HMRC’s enquiry” was valid across all of HMRC and so could not be limited in this way. The fact that Ashley sent his DSAR to specific individuals at that particular Directorate did not therefore limit its scope.

In a similar vein, the Investigations Report noted concerns regarding the awareness of controllers as to the scope of DSARs, including them defining the scope too narrowly. The EDPB noted that controllers cannot limit their replies to data they consider relevant, and concluded that controllers should assess the scope of the DSAR at the outset and use their records of processing activities (ROPAs) to identify data locations. However, given the challenges of ensuring that ROPAs are up to date and accurate, these may not be as helpful in practice as the EDPB hopes. 

Need to correctly identify what amounts to personal data

The Court ruled that property valuations were Mr Ashley’s personal data, but the decisions behind those valuations were not, as individuals do not have the right to access the decision-maker’s reasoning. Similarly, the Investigations Report noted that some controllers do not include pseudonymised data or traffic data in their response. 

It is not always straightforward to determine what is or is not personal data, with judgement sometimes being required. Ensuring that suitably experienced data protection professionals are involved in the decision is therefore important.

Ensure search is reasonable and proportionate

The Investigations Report notes that some controllers only search the most commonly used databases while excluding certain file types, whilst in the Ashley Case the Court found that HMRC failed to conduct a sufficiently thorough search. 

At our DP Forum, we discussed that the burden of proof that the search was reasonable and proportionate rests with controllers. This means that controllers have the discretion to determine the scope and approach of the search, but they must ensure that it is thorough and appropriate given the specific circumstances. 

Provide personal data in a transparent and intelligible manner

The Investigations Report states that some controllers only provided compiled personal data rather than extracts or entire documents. The EDPB emphasised that compliance with a DSAR may require the provision of extracts or full documents if that is necessary for the data subject to effectively exercise their rights. As a positive finding, the EDPB highlighted that some controllers offer explanatory information or a list detailing the contents of each document provided in response to DSARs.

This was also reflected in the Ashley Case, where the court held that data must be provided in a way that allows individuals to understand its nature and implications. It ruled that it was insufficient for HMRC to provide Ashley with “decontextualised snippets of data” such as extracts containing only his name or initials, as this did not allow the data subject to understand the personal data processed about them.

Both the Investigations Report and the Ashley Case therefore reflect the importance of contextual transparency in responding to DSARs, ensuring that data subjects can fully understand the context in which their personal data is processed. However, this transparency must, of course, be balanced with the rights of third parties on a case-by-case basis.

Importance of documenting internal procedures

The Investigations Report notes that some controllers lack detailed internal documented procedures for handling DSARs. While not a legal requirement, the EDPB emphasised that having such procedures can help controllers demonstrate compliance. 

Similarly, at our DP Forum, it was universally agreed that documenting the decisions made regarding a particular DSAR is essential. This ensures organisations are better prepared for potential complaints.

Handle AI with care

The EDPB Experts Report emphasises that as AI becomes more integrated into data processing, organisations must ensure that individuals can still exercise their rights. Similarly, the ICO, in its response to its consultation series on GenAI, emphasised that organisations must design and build systems capable of fulfilling information rights requests for both the training data and the trained model. 

Outlook

With the Data Bill not seeking to limit the use of DSARs, we expect the strategic use of DSARs in employee and customer disputes to continue in the UK, and it is becoming more common place in EU jurisdictions too. Ensuring that an organisation’s processes take in to account recent developments will therefore be even more important if complaints to the ICO (or indeed the courts) are to be avoided.