- with Senior Company Executives, HR and Finance and Tax Executives
- with readers working within the Utilities and Law Firm industries
Does your organisation see an uptick in data subject access requests whenever the story of a high-profile individual exercising their data protection rights makes the headlines?
DSARs are a real leveller. Whether the requester is a celebrity, a high-ranking employee or the most junior person on the totem pole, they all have the same right of access under Article 15 of the UK GDPR.
Last month, British television presenter Gregg Wallace launched a widely reported legal action against the BBC, claiming that its failure to comply with his data subject access requests had caused him "distress and harassment". Wallace, who for nearly two decades co-presented the popular cooking show MasterChef, was dismissed by the BBC in July 2025 following an inquiry by the broadcaster into his alleged misconduct. He is seeking up to £10,000 in damages from the BBC in relation to his requests.
This approach reflects a trend that we have seen increasingly in recent months, where clients are dealing with requesters who claim that the organisation's response to their DSAR has caused or is causing them some form of emotional harm — whether because of the personal data provided, the personal data not provided or any number of other factors relating to the process.
The factors that arise when an organisation receives a DSAR, although necessarily case-specific in part, can generally be grouped into similar buckets. Wallace's requests touch on three of the factors that we see most commonly.
1. Dealing With A Large Volume Of Documents
Wallace's DSARs sought personal data related to his "work, contractual relations and conduct" during his employment by the BBC, spanning 21 years. Many readers will be familiar with spending significant time and expense responding to broad DSARs, whether due to volume of data (e.g., for long-term employees), type of data (e.g., instant messaging, WhatsApp) or a wide-ranging scope (e.g., detailed lists of custodians and/or keywords). That process can feel particularly frustrating where the request is, or at least appears to be, designed to leverage a dispute with the controller (e.g., settlement discussions).
Lesson: UK Information Commissioner's guidance makes clear that the controller can clarify — i.e., seek to narrow — a broad request, particularly where the organisation holds a significant amount of personal data about an individual. However, the controller cannot force the individual to limit the scope of their request. If they ask to be provided with some variant of "all of the personal data you hold about me", you must conduct reasonable and proportionate searches for the data. And the fact that you may hold a large volume of personal data about an individual is not a reason, by itself, either to seek to narrow a request or to extend the time for response — particularly if the relevant data can be obtained and provided to the requester quickly and easily.
2. Extending The Time For Response
Wallace submitted his DSARs to the BBC and BBC Studios Distribution Limited — an arm of the BBC's commercial subsidiary — on 6 March 2025. Article 12(3) of the UK GDPR requires a controller to which a DSAR is made to provide the requested personal data "without undue delay and in any event within one month of receipt" — unless the request is complex, in which case the controller can extend the time to respond by a further two months.
The BBC determined Wallace's DSARs to be complex, but admitted that it had not provided a "substantive response" within three months "primarily due to the lack of proportionality and scope" of the request. Ultimately, the BBC reportedly provided Wallace with a copy of his personal data on 7 October 2025, i.e., seven months after the initial request.
Lesson: Acknowledge receipt, and clarify any ambiguity around what is being sought (to the extent that the ambiguity does not work in your favour), as soon as possible upon receipt of the request. Thereafter, communicate throughout the process — both to notify the requester that you are extending the period for response (tip: do not do this on the day before the one-month deadline) and if you will not be able to meet the extended deadline.
In the latter case, consider providing documents in tranches. In all cases, you should use transparency to help reduce the likelihood that the individual will complain to the ICO or sue (or both). And if the requester does take things further, being able to demonstrate that you were cooperative and communicative throughout the process will often help to mitigate any adverse findings relating to the wider process. (This is particularly the case when dealing with the ICO.)
3. Applying Redactions And Exemptions
The Article 15 UK GDPR right is to obtain a copy of the requester's personal data (or, where the request is being made by a third party, a copy of the data subject's data). Challenges often arise where a document, email or message contains the personal data of the requester and one or more third parties. In these cases, the controller must assess whether to provide some or all of the third-party data or, as is commonly the case, to redact the data other than those to which the requester is legally entitled.
Similarly, the controller may determine that it is permitted to rely on one or more exemptions to disclosure under the UK GDPR and the Data Protection Act 2018; examples include information that is covered by legal professional privilege, the provision or receipt of confidential references, and management forecasting or planning.
Needless to say, requesters often take issue with what lies behind the redactions and exemption — whether because they think that the controller is hiding a 'smoking gun' or that it speaks to a more generally perceived lack of transparency. This most often seen with DSARs that relate to, or are made by individuals, in contentious employment situations (terminations, redundancies, being passed over for promotion, and the like). For his part, Wallace claims that, when providing copies of his personal data, the BBC had "wrongly redacted" certain information and had "unlawfully failed to supply all of [his] personal data".
Lesson: Properly applying redactions can be difficult — and getting it wrong can give the impression that you are inadvertently withholding personal data that should be provided. If you have engaged a vendor to assist with the document review process, you should also consider having your external lawyers make — or, at the very least, review — the redactions before the document packet is sent to the requester. By contrast, determining whether and how to apply exemptions shouldn't be outsourced to your contract reviewers, but should be handled by your internal — or external — legal or compliance team.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
