The Cost of Data Subject Access Requests (DSAR)

Post Date: 07/18/2018
feature image

Do you have security concerns when it comes to using various Microsoft cloud services? Learn how to mitigate risks with our webinar-on-demand, “Understanding Microsoft Cloud Services and Security.”

Data Subject Access Requests (DSAR) have been a right to individuals since the UK Data Protection Act of 1998. More recently, they’re being enforced similarly to the EU General Data Protection Regulation (GDPR). Rights like these are allowing individuals to control the information related to themselves or receive information in the context of non-data protection disputes with data controllers. The whole process of an individual sending a Data Subject Access Request to a data controller involves steps such as (but not limited to):

  1. An individual sends a DSAR to a data controller
  2. The request has a reasonable explanation/amount of information relating to the situation
  3. A data controller may need more information from the individual in order to process the request
  4. Once the data controller has all the needed details from the individual, the controller has a time limit to respond within

The above steps may sounds very easy and simple (for more details on how to access your data, check the following link), but in reality data controllers may experience far greater challenges and costs associated to fulfill such requests, and the symbolic fee that an individual may (not mandatory under GDPR) be charged is about the price of a decent breakfast under the UK Data Protection Act of 1998.

For example, even before GDPR is in effect, DSARs were a common thing for data controllers and some of them have resulted into a very costly response estimation. In the case of James Titcombe Freedom of Information request to the Nursing and Midwifery Council, the cost for this single request to information was estimated at about  £239,871.85 (close to $315,000 USD).

In another instance of a data subject access request (Deer vs University of Oxford), going through half a million emails in order to respond to the individual’s rights, has been estimated to cost £116,116.

Other challenges include trying to manually process each request, a process that is incredibly inefficient when the data controllers need to allow data identification across multiple systems. These systems may hold important information related to the data subject access request or the individual.

Adding the additional manpower to respond to and review data subject access requests may also add significant cost to the data controller. The issue of deciding if anything needs to be redacted before sending the requestee their information might come up as well.

At this point, you probably are thinking, “If John Doe makes a DSAR request today, how do I know which systems contain his data? Can I even meet the deadline to respond? Even if I find all that data, how can I make sure it’s accurate or properly redacted? I probably need at least 10 people dedicated to this activity.”

Meet AvePoint Compliance Guardian

Compliance Guardian can help organizations respond to DSAR requests by automating the whole process from discovery to redaction/pseudo-anonymization and extraction of the information (providing copy of the files to the data controller/data subject).

If you are interested in learning how Compliance Guardian can help your organization with DSARs, check out this blog post. DSAR is just one of the challenges data controllers/organizations will have to be prepared for. If you want to learn how AvePoint Compliance Solutions can help, check out our solution offering brochure for more details on GDPR articles and AvePoint capabilities.

Like what you read? Be sure to subscribe to our blog for more on data privacy.


During his tenure as a Senior Compliance Technical Specialist at AvePoint, Esad was responsible for research, technical and analytical support on current as well as upcoming industry trends, technology, standards, best practices, concepts and solutions for information security, risk analysis and compliance.

View all post by Esad I.

Subscribe to our blog