Data Protection

Rights without responsibilities?

A Data Subject Access Request (DSAR) is a fundamental individual right under the UK’s General Data Protection Regulation (GDPR). Everyone has the right to know how their personal data is being processed by an organisation which controls that data.



Website cookie notices have raised awareness that an individual’s personal data is often used for purposes not clearly explained to them and/or not with their active consent. DSARs are therefore a useful and valuable tool for customers, employees, service users and others to hold a larger organisation to account.

Where multiple individuals have similar issues, an argument can be made for coordinating DSAR requests, but where groups of customers, tenants, service users and others combine and submit a barrage of DSARs as a tactic in a dispute to delay and disrupt, has a line been crossed?

The unstated and difficult to prove objective of “weaponised DSARs” is to tie up time and resource as a means of applying pressure to the business and improving a negotiating position. That is not what the DSAR right was designed for.

For each DSAR an organisation must satisfy itself that the requester is indeed the data subject or has their authority. It must then search multiple locations to identify electronic and hard copy materials containing the individual’s personal data, review those materials to establish what is and is not relevant personal data (not as easy as it sounds) whilst ensuring that it does not reveal personal data of other individuals, unless those individuals have consented. Irrelevant or legitimately excludable material must then be removed before preparing and providing the data in a suitable form in its response.

Even for businesses with effective DSAR response policies and procedures, responding to large numbers filed at the same time can impose a considerable burden in a short timescale, since it is not a tick box exercise.

Some may see nothing wrong with the weaponisation of DSARs. Clients and customers are invariably in a much weaker position than the business with which they are in dispute so this may be seen as a counterbalance.

However, the use of this valuable right as part of a coordinated campaign for reasons unconnected with a genuine desire to know what data is held and what it is used for, and without any responsibility or accountability for the requester, other than (perhaps) the organiser, risks abusing and devaluing that right.

A data controller can object to or refuse to answer a DSAR if it can be shown to be “manifestly unfounded” or “manifestly excessive” but proving this is difficult except in the most obvious cases. Each individual data subject can argue that their DSAR is neither excessive nor unfounded: they genuinely wish to know what data is being processed.

At some point a brave business on the wrong end of a DSAR avalanche will have to take the risk of being sanctioned for non-compliance in order to establish whether such tactics can justify a refusal to respond.


First published by The Times on 10th March 22


You are contacting

Patrick Wheeler

Partner - Head of IP & Data Protection


    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributor


    Subscribe now
    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.