--- title: "UK GDPR DSAR Workflow Guide" canonical_url: "https://www.sorena.io/artifacts/uk/general-data-protection-regulation/dsar-workflow" source_url: "https://www.sorena.io/artifacts/uk/general-data-protection-regulation/dsar-workflow" author: "Sorena AI" description: "UK GDPR guidance for DSAR Workflow, with practical decisions, evidence, edge cases, and external source citations." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "UK GDPR" - "DSAR Workflow" - "UK GDPR DSAR Workflow" - "compliance checklist" - "practical guidance" - "Compliance" - "Regulatory guidance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # UK GDPR DSAR Workflow Guide UK GDPR guidance for DSAR Workflow, with practical decisions, evidence, edge cases, and external source citations. *Artifact Guide* *UK* *DSAR Workflow* ## UK GDPR DSAR Workflow DSAR Workflow decisions under the UK GDPR should be written in operational language: who is in scope, what must happen, what evidence proves it, and when escalation is needed. This guide converts requirements into implementation-ready ownership, evidence, and review decisions. It is practical guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation. This UK GDPR page maps the DSAR Workflow into a trigger, owner, deadline, required evidence, and review path so legal, privacy, security, compliance, support, and operations teams can execute consistently. It is for teams handling UK GDPR subject access requests and related requests for identity checks, exemptions, searches, and response tracking. ## How should a DSAR Workflow run under the UK GDPR? Run the workflow as UK GDPR subject-access triage: capture the request, confirm identity and authority, locate personal data, check exemptions, prepare the response, and record the deadline and decision evidence. - Capture the request date, requester identity, authority to act, products or systems involved, and response deadline. - Check whether clarification, an extension, a reasonable fee, or a refusal ground is available before implementation. - Record searches performed, exemptions considered, redactions made, owner, reviewer, evidence location, and next review trigger. - Keep a plain-language output that support, product, legal, security, and compliance teams can all understand. Sources for this answer: - [ICO guide to subject access requests](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/subject-access-requests/a-guide-to-subject-access/?ref=sorena.io) - ICO guidance confirms the right of access and the practical response duties that a UK GDPR DSAR workflow must route. - [ICO guidance on responding to a right of access request](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/what-should-we-consider-when-responding-to-a-request/?ref=sorena.io) - ICO guidance supports the workflow steps for clarification, refusal handling, explanations, and review evidence. - [UK GDPR Article 15 - Right of access by the data subject](https://www.legislation.gov.uk/eur/2016/679/article/15?ref=sorena.io) - Article 15 is the binding UK GDPR source for the access right that the DSAR workflow operationalizes. - [UK GDPR Article 12 - Transparent information and time limits](https://www.legislation.gov.uk/eur/2016/679/article/12?ref=sorena.io) - Article 12 supports the workflow deadline, communication, extension, and refusal-recording steps for DSAR handling. - [ICO guidance on refusing a subject access request](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/exemptions-when-can-we-refuse-a-sar/?ref=sorena.io) - ICO refusal guidance supports documenting exemptions, manifestly unfounded or excessive requests, and reviewer approval in the DSAR record. ## What fields should the DSAR Workflow template capture? A useful DSAR template captures the requester, verification status, request scope, system searches, data categories, third-party data, exemptions, redactions, response date, owner, reviewer, and ICO escalation note. - Source URL and source quote for the access right, deadline, and any refusal or extension decision. - Requester, authority to act, product, service, system, data category, and search owner. - Decision result, response action, owner, reviewer, due date, and escalation reason. - Evidence attachment, approval note, exception note, and review cadence. Sources for this answer: - [ICO guide to subject access requests](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/subject-access-requests/a-guide-to-subject-access/?ref=sorena.io) - ICO guidance confirms the right of access and the practical response duties that a UK GDPR DSAR workflow must route. - [ICO guidance on responding to a right of access request](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/what-should-we-consider-when-responding-to-a-request/?ref=sorena.io) - ICO guidance supports the workflow steps for clarification, refusal handling, explanations, and review evidence. - [UK GDPR Article 15 - Right of access by the data subject](https://www.legislation.gov.uk/eur/2016/679/article/15?ref=sorena.io) - Article 15 is the binding UK GDPR source for the access right that the DSAR workflow operationalizes. - [UK GDPR Article 12 - Transparent information and time limits](https://www.legislation.gov.uk/eur/2016/679/article/12?ref=sorena.io) - Article 12 supports the workflow deadline, communication, extension, and refusal-recording steps for DSAR handling. - [ICO guidance on refusing a subject access request](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/exemptions-when-can-we-refuse-a-sar/?ref=sorena.io) - ICO refusal guidance supports documenting exemptions, manifestly unfounded or excessive requests, and reviewer approval in the DSAR record. ## How should teams review and improve the DSAR Workflow? Review the workflow after ICO guidance changes, repeated clarification requests, missed deadlines, new systems, vendor changes, complaints, or DSAR trends that show the intake questions no longer match how data is held. - Track recurring exception categories and update intake questions. - Remove fields that never affect the decision. - Add fields when reviews show missing source evidence or unclear ownership. - Confirm public page content, internal templates, and cited source-linked guidance stay aligned. Sources for this answer: - [ICO guide to subject access requests](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/subject-access-requests/a-guide-to-subject-access/?ref=sorena.io) - ICO guidance confirms the right of access and the practical response duties that a UK GDPR DSAR workflow must route. - [ICO guidance on responding to a right of access request](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/what-should-we-consider-when-responding-to-a-request/?ref=sorena.io) - ICO guidance supports the workflow steps for clarification, refusal handling, explanations, and review evidence. - [UK GDPR Article 15 - Right of access by the data subject](https://www.legislation.gov.uk/eur/2016/679/article/15?ref=sorena.io) - Article 15 is the binding UK GDPR source for the access right that the DSAR workflow operationalizes. - [UK GDPR Article 12 - Transparent information and time limits](https://www.legislation.gov.uk/eur/2016/679/article/12?ref=sorena.io) - Article 12 supports the workflow deadline, communication, extension, and refusal-recording steps for DSAR handling. *Recommended next step* *Placement: after the practical guidance* ## Turn UK GDPR DSAR Workflow into assigned work This UK GDPR guide turns DSAR Workflow into owners, evidence requests, review checkpoints, and reusable operating records for implementation execution. - [Open Assessment Autopilot for UK GDPR](/solutions/assessment.md): Turn DSAR Workflow into scoped questions, evidence fields, and review tasks. - [Review UK GDPR source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena. ## Primary sources - [ICO guide to subject access requests](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/subject-access-requests/a-guide-to-subject-access/?ref=sorena.io) - ICO guidance confirms the right of access and the practical response duties that a UK GDPR DSAR workflow must route. - Quote: "Individuals have the right to access and receive a copy of their personal data, and other supplementary information." - [ICO guidance on responding to a right of access request](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/what-should-we-consider-when-responding-to-a-request/?ref=sorena.io) - ICO guidance supports the workflow steps for clarification, refusal handling, explanations, and review evidence. - Quote: "In all circumstances, you should explain to the person why you are seeking further details and be able to justify your position to the ICO, if asked to." - [UK GDPR Article 15 - Right of access by the data subject](https://www.legislation.gov.uk/eur/2016/679/article/15?ref=sorena.io) - Article 15 is the binding UK GDPR source for the access right that the DSAR workflow operationalizes. - Quote: "right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed" - [UK GDPR Article 12 - Transparent information and time limits](https://www.legislation.gov.uk/eur/2016/679/article/12?ref=sorena.io) - Article 12 supports the workflow deadline, communication, extension, and refusal-recording steps for DSAR handling. - Quote: "without undue delay and in any event within one month of receipt of the request" - [ICO guidance on refusing a subject access request](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/exemptions-when-can-we-refuse-a-sar/?ref=sorena.io) - ICO refusal guidance supports documenting exemptions, manifestly unfounded or excessive requests, and reviewer approval in the DSAR record. - Quote: "You can refuse to comply with a SAR if it is manifestly unfounded or manifestly excessive." ## Related Topic Guides - [UK GDPR 72-hour Breach Reporting Guide](/artifacts/uk/general-data-protection-regulation/72-hour-breach-reporting.md): UK GDPR guidance for 72-hour Breach Reporting, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Adequacy Guide](/artifacts/uk/general-data-protection-regulation/adequacy.md): UK GDPR guidance for Adequacy, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR AI And Automated Decisions Guide](/artifacts/uk/general-data-protection-regulation/ai-and-automated-decisions.md): UK GDPR guidance for AI And Automated Decisions, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Applicability Test Guide](/artifacts/uk/general-data-protection-regulation/applicability-test.md): Practical guidance for the UK GDPR applicability test, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Article 30 Records Guide](/artifacts/uk/general-data-protection-regulation/article-30-records.md): UK GDPR guidance for Article 30 Records, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Breach Notification Guide](/artifacts/uk/general-data-protection-regulation/breach-notification.md): UK GDPR guidance for Breach Notification, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Breach Workflow Guide](/artifacts/uk/general-data-protection-regulation/breach-workflow.md): UK GDPR guidance for Breach Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Children And Age Appropriate Design Guide](/artifacts/uk/general-data-protection-regulation/children-and-age-appropriate-design.md): UK GDPR guidance for Children And Age Appropriate Design, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Children's Code Guide](/artifacts/uk/general-data-protection-regulation/children-s-code.md): UK GDPR guidance for Children's Code, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Compliance Checklist](/artifacts/uk/general-data-protection-regulation/checklist.md): Practical guidance for the UK GDPR checklist, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Compliance FAQ](/artifacts/uk/general-data-protection-regulation/faq.md): Practical guidance for the UK GDPR FAQ, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Compliance Guide](/artifacts/uk/general-data-protection-regulation/compliance.md): Practical guidance for the UK GDPR compliance, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Controller And Processor Status Guide](/artifacts/uk/general-data-protection-regulation/controller-and-processor-status.md): UK GDPR guidance for Controller And Processor Status, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Data Subject Rights Guide](/artifacts/uk/general-data-protection-regulation/data-subject-rights.md): UK GDPR guidance for Data Subject Rights, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Deadlines and Compliance Calendar Guide](/artifacts/uk/general-data-protection-regulation/deadlines-and-compliance-calendar.md): UK GDPR guidance for Deadlines and Compliance Calendar, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR DPIA Workflow Guide](/artifacts/uk/general-data-protection-regulation/dpia-workflow.md): UK GDPR guidance for DPIA Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR DPIAs And DPOs Guide](/artifacts/uk/general-data-protection-regulation/dpias-and-dpos.md): UK GDPR guidance for DPIAs And DPOs, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR IDTA Addendum and Transfer Risk Assessment Guide](/artifacts/uk/general-data-protection-regulation/idta-addendum-and-transfer-risk-assessment.md): UK GDPR guidance for IDTA addendum and transfer risk assessment, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR IDTA vs EU SCCs Guide](/artifacts/uk/general-data-protection-regulation/idta-vs-eu-sccs.md): UK GDPR guidance for IDTA vs EU SCCs, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Lawful Bases Guide](/artifacts/uk/general-data-protection-regulation/lawful-bases.md): UK GDPR guidance for Lawful Bases, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR PECR Cookies Guide](/artifacts/uk/general-data-protection-regulation/pecr-cookies.md): UK GDPR and PECR cookie guidance with practical consent, exemption, evidence, and source-linked implementation decisions. - [UK GDPR penalties and fines Guide](/artifacts/uk/general-data-protection-regulation/penalties-and-fines.md): UK GDPR guidance for penalties and fines, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Requirements Guide](/artifacts/uk/general-data-protection-regulation/requirements.md): Practical guidance for the UK GDPR requirements, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Transfer Workflow Guide](/artifacts/uk/general-data-protection-regulation/transfer-workflow.md): UK GDPR guidance for Transfer Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Transfers, IDTA, and UK Addendum Guide](/artifacts/uk/general-data-protection-regulation/transfers-idta-and-uk-addendum.md): UK GDPR guidance for transfers, IDTA, and UK Addendum, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR UK vs EU Differences Guide](/artifacts/uk/general-data-protection-regulation/uk-vs-eu-differences.md): UK GDPR guidance for UK vs EU Differences, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR UK vs EU GDPR Differences Guide](/artifacts/uk/general-data-protection-regulation/uk-vs-eu-gdpr-differences.md): UK GDPR guidance for UK vs EU GDPR Differences, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR vs Data Protection Act 2018 Guide](/artifacts/uk/general-data-protection-regulation/uk-gdpr-vs-data-protection-act-2018.md): UK GDPR guidance for UK GDPR vs Data Protection Act 2018, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR vs EU GDPR Guide](/artifacts/uk/general-data-protection-regulation/uk-gdpr-vs-eu-gdpr.md): UK GDPR guidance for UK GDPR vs EU GDPR, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about 72-hour Breach Reporting under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/72-hour-breach-reporting.md): UK GDPR guidance for 72-hour Breach Reporting, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Adequacy under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/adequacy.md): UK GDPR guidance for Adequacy, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about AI And Automated Decisions under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/ai-and-automated-decisions.md): UK GDPR guidance for AI And Automated Decisions, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Article 30 Records under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/article-30-records.md): UK GDPR guidance for Article 30 Records, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Children's Code under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/children-s-code.md): UK GDPR guidance for Children's Code, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Controller And Processor Status under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/controller-and-processor-status.md): UK GDPR guidance for Controller And Processor Status, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about DPIAs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpias.md): UK GDPR guidance for DPIAs, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about DPOs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpos.md): UK GDPR guidance for DPOs, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about IDTA addendum and transfer risk assessment under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/idta-addendum-and-transfer-risk-assessment.md): UK GDPR guidance for IDTA addendum and transfer risk assessment, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Lawful Bases under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/lawful-bases.md): UK GDPR guidance for Lawful Bases, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about PECR Cookies under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/pecr-cookies.md): UK GDPR guidance for PECR Cookies, with practical decisions, evidence, edge cases, and external source citations. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/uk/general-data-protection-regulation/dsar-workflow