What is the deadline for responding to a DSAR?

One calendar month from receipt of a valid request. This can be extended by a further two months for complex or numerous requests, but you must notify the requester of the extension and the reasons within the first month.

Can we charge for handling a DSAR?

Generally no. The right is to receive a copy free of charge. A reasonable fee can be charged for manifestly unfounded or excessive requests, or for further copies, but this is the exception and must be justified.

What if releasing the data would expose someone else?

Third-party information must be redacted or excluded unless the third party has consented or it is reasonable to disclose. The DSAR right covers the requester’s personal data, not information about other people.

Data Subject Access Requests: A Survival Guide for Charities

Most charity data subject access requests are handled in a panic that makes them slower and riskier. The 30-day workflow, the search discipline and the redaction approach that produce compliant responses without burning the team.

A data subject access request arrives, usually unexpectedly, from a former volunteer, a supporter who has fallen out with the charity, an ex-employee, or occasionally a journalist. The clock starts the moment it lands. One calendar month to find, review, redact and release every piece of personal data the charity holds on the requester. For most charities this is the most time-sensitive compliance task they will face all year.

Handled in a panic, the response is late, incomplete and often leaks third-party data the charity did not realise it had included. Handled with a workflow, the response is timely, accurate and uses far less of the team's time than the panic version. The 30-day workflow below is the one I install with charity teams; it survives most realistic request scenarios.

Day 0 to Day 3: triage and acknowledgement

Confirm validity

Check that the request is from the data subject themselves (or a properly authorised representative), that it is about their own personal data, and that you can verify their identity proportionately. Identity verification should be proportionate to the sensitivity of the data, not maximalist.

Acknowledge in writing within three working days

An acknowledgement that confirms receipt, names the response deadline, and asks any necessary clarifying questions (specific time period, specific records, specific systems). Clarifying questions do not pause the clock unless they relate to identity verification.

Open the case file

A single case file per request, tracking the request scope, the systems searched, the documents identified, the redactions applied, the third parties consulted and the final release. Most ICO enforcement on DSARs results from poor case-file documentation, not poor intent.

Day 4 to Day 14: search

Map the systems holding personal data

Most charities hold personal data in more places than they realise: CRM, email, shared drives, Slack or Teams, finance systems, HR systems, safeguarding records, board portals, individual laptops, paper files. The search must cover all of them. A pre-prepared system map saves hours per request.

Search systematically, document as you go

Use consistent search terms across systems (full name, known email addresses, any internal IDs). Document what was searched, by whom, when, with what term set. The case-file evidence is essential if the search is later challenged.

Distinguish personal data from contextual data

A meeting note that mentions the requester in passing contains their personal data. A meeting note that includes their views or actions attributed to them is more clearly their personal data. The right covers personal data, not every document that mentions a name. Be considered, not maximalist.

Day 15 to Day 22: review and redaction

Redact third-party information

Names, contact details and identifying information of other individuals must usually be redacted unless they consented, are acting in a professional capacity where disclosure is reasonable, or the information is genuinely impossible to separate. Document the basis for each redaction.

Apply exemptions carefully

Legal professional privilege, confidential references, ongoing safeguarding investigations, and certain regulatory functions may attract exemptions. Each exemption application must be documented with a clear rationale. Blanket withholding without rationale is the most common DSAR failure that the ICO upholds.

Consult third parties where required

Where third-party information cannot be redacted without losing meaning, consider whether their consent should be sought. The third-party's reasonable expectations are central; their right to refuse is not absolute but is significant.

Day 23 to Day 28: package and release

Format proportionately

A clear, structured package: an index of what is included, the responsive documents (redacted where necessary), and a covering letter that explains the search performed and any material withheld with the legal basis. The requester should be able to understand what they have and what they do not have.

Deliver securely

Encrypted email, secure file transfer or password-protected download. Postal release only with tracked delivery. A DSAR release that is intercepted in transit becomes a personal data breach the same day.

Brief the team on possible follow-up

Some DSARs precede a complaint, an employment claim or media coverage. Brief the safeguarding lead, the chief executive and (where relevant) trustees on the release, in confidence, so they are not surprised by what follows.

Day 29 to Day 30: closure and learning

Close the case file

Final case-file entry confirming the release, the format, the date and the recipient. Retain in line with your data protection record-keeping policy.

Lessons-learned note

One short note for the team: what worked, what was hard, what to change for next time. Most DSAR efficiency comes from compounding small improvements over a year of requests.

What charities most often get wrong

Missing the one-month deadline because the request was assumed to be a complaint and routed slowly.
Failing to search staff personal email and individual laptops.
Releasing third-party data inadvertently in the body of meeting notes or email threads.
Withholding documents under exemptions without documenting the rationale.
Treating the case file as an internal admin task rather than the legal record of a regulatory response.

A DSAR is one of the few moments when a regulator might examine your data practice in detail. Treat each one as if the ICO will read the case file, because occasionally they will.

Practical setup before the next request arrives

Maintain a current map of systems holding personal data, with owners.
Maintain a DSAR runbook with templates for acknowledgement, search log, redaction log and covering letter.
Nominate a DSAR lead with a deputy. Brief the wider team on triage.
Run a tabletop exercise annually using a realistic mock request.

These four investments turn DSARs from emergencies into routine. The team time saved across a single year of requests almost always exceeds the time invested in the setup.