How to Handle a Data Protection Request in the UK

A DPA request can land in your inbox at the worst possible time, after a customer complaint, during an employee dispute, or right in the middle of a busy launch. The problem for many UK businesses is not just the request itself. It is the rushed response. Common mistakes include treating every message as informal and ignoring deadlines, disclosing too much information without checking exemptions, or asking for unnecessary ID and slowing everything down.

If you collect customer details, staff records, marketing data or website analytics, you need a practical way to deal with these requests. A proper process helps you respond on time, protect third party information, and keep a record of what you decided and why. This guide explains what a DPA request usually means in practice, when it comes up, the steps to take from day one, and the mistakes that most often create legal and commercial risk for founders and SMEs.

Overview

A DPA request usually means an individual is asking your business to deal with their personal data rights under UK data protection law. In most cases, that means a subject access request, but it can also involve asking you to delete, correct, restrict, transfer, or stop using personal data in certain ways.

• Work out what type of request you have received and when the response deadline starts.
• Confirm the requester’s identity only where it is reasonable and necessary.
• Search the systems, inboxes and files that are likely to hold the relevant personal data.
• Review the material carefully for third party information, legal privilege, confidential business information and other possible exemptions.
• Respond clearly, within time, and keep an internal record of what you disclosed or refused.
• Use the request as a prompt to fix weak privacy notices, retention practices and internal processes.

What DPA Request Means For UK Businesses

For most businesses, a DPA request is not one single legal form. It is usually a catch-all term for a person exercising one of their rights over personal data you hold about them.

In the UK, these rights sit mainly under the UK GDPR and the Data Protection Act 2018. You do not need the person to quote the law or use the words “subject access request” for the request to count. If the substance of the message is clear, your business should treat it seriously.

The most common types of request

The request your business sees most often is a subject access request. That is where a person asks for a copy of their personal data and related information about how you use it.

But a DPA request may also ask you to do something else, such as:

• correct inaccurate personal data
• delete data in some circumstances
• restrict how you use the data while an issue is checked
• provide data in a portable format where that right applies
• stop direct marketing
• object to certain processing based on legitimate interests

This matters because the legal test, timing and outcome can differ depending on the right being exercised. A founder who assumes every request is just a data dump exercise can miss the real issue.

What counts as personal data

Personal data is any information relating to an identified or identifiable individual. For a startup or SME, that can include obvious items like names, email addresses and phone numbers, but also less obvious material such as support tickets, call recordings, CCTV images, staff performance notes, internal messages about a customer, CRM notes, and order history.

If you run an online business, personal data can also appear across multiple tools. Think about:

• your website forms and ecommerce platform
• email marketing software
• customer support systems
• accounting or billing platforms
• HR files and payroll records
• team inboxes and direct messages
• cloud storage and archived folders

This is where founders often get caught. They look only at the main CRM and forget the sales inbox, the complaint spreadsheet, or the WhatsApp messages used by the team.

Why these requests matter commercially

A DPA request is a legal obligation, but it is also a trust and process issue. A poor response can escalate a manageable complaint into a regulator concern, damage a customer relationship, or create problems in an employment matter.

For small businesses, the main risk is not always bad intent. It is weak systems. No one knows who owns the response, there is no data map, managers save records in inconsistent places, and the privacy notice does not match what the business actually does.

That is why the right response is not just “send everything”. You need a repeatable process that is proportionate, documented and consistent with your privacy documentation, contracts and internal data handling.

When This Issue Comes Up

DPA requests usually appear when a person wants answers, leverage, or reassurance about how your business has handled their information.

That can happen at any stage of the business lifecycle. It is not only a problem for large companies with legal teams. In fact, early stage businesses often face more operational strain because they have fewer formal systems in place.

Customer complaints and refunds

A customer who feels ignored may ask for all data you hold about them. This often happens before or after a complaint about deliveries, subscriptions, cancellations or product quality.

If your customer service team keeps informal notes, recorded calls or internal comments, those may need review. Before you send anything out, check whether the material includes third party data or information that falls within a lawful exemption.

Employee and contractor disputes

Staff and ex-staff regularly make subject access requests during disciplinaries, grievances, redundancy processes or disputes over dismissal. Contractors may do the same if a working relationship ends badly.

These requests are often broad and time-sensitive. Your business should avoid knee-jerk responses, especially where managers have discussed the individual over email or messaging platforms.

Marketing objections and unsubscribe issues

Some DPA requests are really about marketing. A person might ask why they are receiving emails, where their details came from, or to stop profiling or targeting.

If your consent wording is unclear or your suppression lists are poorly managed, this can expose wider compliance problems. It is a good moment to review your privacy notice, cookie policy, sign-up flows and direct marketing records.

After a security incident or suspected misuse

If there has been a data breach, misdirected email, unauthorised access or internal misuse concern, affected individuals may ask for details about the personal data involved. The request may sit alongside wider reporting and incident management obligations.

In that situation, your response needs to be accurate and coordinated. One team should not send information that conflicts with what another team has told the individual about the incident.

Supplier and platform arrangements

Many SMEs rely on third party software providers, fulfilment partners, payroll services and outsourced support. A DPA request can become difficult when the personal data sits across suppliers and no one is clear who does what.

Before you sign a contract with a processor or platform, it helps to check who will support your response process, what data exports are available, how quickly they can help, and whether your data processing agreement reflects reality.

Practical Steps And Common Mistakes

The safest approach is to treat every DPA request as a short project with a clear owner, a deadline, and a documented decision trail.

You do not need a huge legal team to handle this well. You do need a process that your customer service, HR, operations and founders can actually follow under pressure.

1. Identify the type of request straight away

Read the request for substance, not labels. A person might say “send me everything you hold”, “delete my account”, “correct my records” or “why are you using my data for marketing”. Those are different requests, and sometimes one message contains several rights requests at once.

Record:

• the date received
• the requester’s name and contact details
• which right or rights appear to be raised
• the relevant business area, such as HR, marketing or customer service
• the response deadline

Under UK rules, the standard deadline is usually one month, although it can be extended in some cases. If you think an extension may apply, document why and communicate that properly.

2. Confirm identity without creating friction

You can ask for ID if you have reasonable doubts about the requester’s identity. You should not ask for excessive documents as a default.

A common mistake is asking every requester for passport-level evidence even where the person is already logged into an account, emailing from a known address, or can be verified through existing records. That can look obstructive and may waste precious time.

Use a proportionate approach. Ask only for what is needed to avoid disclosing personal data to the wrong person.

3. Clarify scope where needed, but do not delay the clock unfairly

If a request is very broad, you can ask the person to clarify what they want or the time period they are most concerned about. This can help your search and improve the quality of your response.

But be careful. Clarification is not a tactic to sidestep your obligations. If the person does not narrow the request, your business may still need to make reasonable and proportionate searches and respond within the legal framework.

4. Search all likely data sources

Your search should reflect how your business actually works, not just the systems named in your privacy notice. Start with the obvious locations, then think about where relevant records may realistically sit.

For example, your search may need to cover:

• CRM and account records
• support tickets and complaints logs
• sales emails and inbox folders
• order histories and payment records
• call recordings and chat logs
• HR systems and manager notes
• shared drives, archived files and backups where appropriate
• CCTV footage, if relevant and available

Assign responsibilities internally. HR should search HR sources, operations should search operational records, and marketing should review campaign and consent records. One person should still oversee the final response so the business speaks consistently.

5. Review carefully before disclosure

This is the stage where legal risk usually sits. Not all information found in the search should automatically be disclosed in full.

You may need to withhold or redact parts of documents where they contain:

• personal data about another identifiable person
• legally privileged communications
• confidential references, in some cases
• certain management forecasting or negotiation material, where an exemption genuinely applies
• trade secrets or confidential commercial information, depending on the context

Exemptions are not blanket shields. They need careful application. If you are relying on one, record your reasoning. This matters if the requester complains later.

6. Give the required information, not just raw documents

For a subject access request, the response is usually more than a file bundle. You also need to provide supporting information about how the business uses the person’s data.

That may include details such as:

• the purposes of processing
• the categories of personal data involved
• who the data has been shared with
• how long you keep it, or how you set retention periods
• the individual’s rights, including complaint rights
• where the data came from, if it was not collected directly from them

A clean cover letter or email helps. Explain what you are providing, what you have withheld and why, and any next steps. Clear communication can lower the chance of immediate escalation.

7. Keep records of your decision-making

Every request should leave an internal paper trail. Keep a file showing the request, identity checks, search steps, teams consulted, material reviewed, redactions made, exemptions considered and date of response.

This record helps if the requester follows up, the regulator asks questions, or the business later spots a gap in its own systems.

Common mistakes SMEs make

The same practical errors show up again and again. They are usually fixable, but only if the business sees them early.

• No clear owner for the request, so teams duplicate work or miss the deadline.
• Searching only one system and forgetting email inboxes, shared folders or local files.
• Disclosing internal commentary without checking for third party data or privilege.
• Using excessive ID checks that delay the response without real justification.
• Ignoring deletion or objection requests because staff assume only access requests matter.
• Failing to align the response with the privacy notice and internal data retention policy.
• Letting managers discuss the request casually over email, creating more disclosable material.

Turn one request into a wider compliance check

A DPA request often reveals where your privacy setup is weak. That is useful, especially before you spend money on setup for a bigger marketing push, a new platform rollout, or a hiring round.

Use the request to review whether your business has:

• a privacy notice that matches actual data use
• appropriate staff guidance on data handling
• processor agreements with key suppliers
• clear retention periods and deletion practices
• customer and employee documents that handle privacy issues properly
• an escalation process for complaints, breaches and rights requests

If these basics are missing, each new request becomes slower, riskier and more expensive to handle.

FAQs

How long does a business have to respond to a DPA request in the UK?

In many cases, the deadline is one month from receipt, although this can sometimes be extended for complex requests. The business should assess the request promptly and record the relevant deadline from the start.

Does someone need to use the words “subject access request” for it to count?

No. If a person is clearly asking for their personal data or to exercise a data right, the request can still be valid even if they do not use legal wording.

Can a business charge a fee for responding?

Usually no. A fee may be possible in limited cases, such as where a request is manifestly unfounded or excessive, but businesses should take care before relying on that position.

Can we refuse to provide everything asked for?

Sometimes. A business may be able to withhold or redact certain information where an exemption applies, where disclosure would affect another person’s rights, or where the request goes beyond what the law requires. The reasoning should be documented.

What if the data is held by a software provider or outsourced team?

Your business may still be responsible for responding properly if you control the purpose and use of the data. Contracts and internal processes should make clear how the supplier will support data rights requests.

Key Takeaways

• A DPA request can cover several different personal data rights, not just access to records.
• Your business should identify the request type early, diarise the deadline, and assign a clear internal owner.
• Reasonable searches must reflect where data actually sits across your systems, inboxes, HR files and service tools.
• Do not disclose material without checking for third party data, privilege, confidentiality issues and relevant exemptions.
• A clear written response and a documented internal record can reduce regulator and complaint risk.
• Each request is also a chance to improve your privacy notice, retention rules, supplier terms and staff processes.

If your business is dealing with a DPA request and wants help with privacy notices, subject access request handling, data processing terms, and staff data procedures, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.