Three Lessons From the Newest Movie star DSAR | Insights

Does your organisation see an uptick in information topic entry requests each time the story of a high-profile particular person exercising their information safety rights makes the headlines?

DSARs are an actual leveller. Whether the requester is a celeb, a high-ranking worker or probably the most junior individual on the totem pole, all of them have the identical proper of entry beneath Article 15 of the UK GDPR.

Last month, British tv presenter Gregg Wallace launched a extensively reported authorized motion towards the BBC, claiming that its failure to conform together with his information topic entry requests had induced him “distress and harassment”. Wallace, who for almost twenty years co-presented the favored cooking present MasterChef, was dismissed by the BBC in July 2025 following an inquiry by the broadcaster into his alleged misconduct. He is in search of as much as £10,000 in damages from the BBC in relation to his requests.

This method displays a development that we have now seen more and more in latest months, the place purchasers are coping with requesters who declare that the organisation’s response to their DSAR has induced or is inflicting them some type of emotional hurt — whether or not due to the private information offered, the private information not offered or any variety of different elements regarding the method.

The elements that come up when an organisation receives a DSAR, though essentially case-specific partly, can typically be grouped into comparable buckets. Wallace’s requests contact on three of the elements that we see mostly.

1. Dealing With A Large Volume Of Documents

Wallace’s DSARs sought private information associated to his “work, contractual relations and conduct” throughout his employment by the BBC, spanning 21 years. Many readers will probably be conversant in spending vital time and expense responding to broad DSARs, whether or not resulting from quantity of information (e.g., for long-term workers), sort of information (e.g., immediate messaging, WhatsApp) or a wide-ranging scope (e.g., detailed lists of custodians and/or key phrases). That course of can really feel notably irritating the place the request is, or at the very least seems to be, designed to leverage a dispute with the controller (e.g., settlement discussions).

Lesson: UK Information Commissioner’s steerage makes clear that the controller can make clear — i.e., search to slender — a broad request, notably the place the organisation holds a big quantity of non-public information about a person. However, the controller can’t drive the person to restrict the scope of their request. If they ask to be supplied with some variant of “all of the personal data you hold about me”, you will need to conduct cheap and proportionate searches for the info. And the truth that it’s possible you’ll maintain a big quantity of non-public information about a person isn’t a purpose, by itself, both to hunt to slender a request or to increase the time for response — notably if the related information could be obtained and offered to the requester shortly and simply.

2. Extending The Time For Response

Wallace submitted his DSARs to the BBC and BBC Studios Distribution Limited — an arm of the BBC’s business subsidiary — on 6 March 2025. Article 12(3) of the UK GDPR requires a controller to which a DSAR is made to offer the requested private information “without undue delay and in any event within one month of receipt” — except the request is complicated, by which case the controller can lengthen the time to reply by an extra two months. 

The BBC decided Wallace’s DSARs to be complicated, however admitted that it had not offered a “substantive response” inside three months “primarily due to the lack of proportionality and scope” of the request. Ultimately, the BBC reportedly offered Wallace with a duplicate of his private information on 7 October 2025, i.e., seven months after the preliminary request.   

Lesson: Acknowledge receipt, and make clear any ambiguity round what’s being sought (to the extent that the paradox doesn’t work in your favour), as quickly as potential upon receipt of the request. Thereafter, talk all through the method — each to inform the requester that you’re extending the interval for response (tip: don’t do that on the day earlier than the one-month deadline) and for those who won’t be able to satisfy the prolonged deadline.

In the latter case, contemplate offering paperwork in tranches. In all instances, it is best to use transparency to assist cut back the chance that the person will complain to the ICO or sue (or each). And if the requester does take issues additional, with the ability to reveal that you just have been cooperative and communicative all through the method will usually assist to mitigate any antagonistic findings regarding the broader course of. (This is especially the case when coping with the ICO.)   

3. Applying Redactions And Exemptions

The Article 15 UK GDPR proper is to acquire a duplicate of the requester’s private information (or, the place the request is being made by a 3rd social gathering, a duplicate of the info topic’s information). Challenges usually come up the place a doc, e mail or message accommodates the private information of the requester and a number of third events. In these instances, the controller should assess whether or not to offer some or all the third-party information or, as is often the case, to redact the info apart from these to which the requester is legally entitled. 

Similarly, the controller could decide that it’s permitted to depend on a number of exemptions to disclosure beneath the UK GDPR and the Data Protection Act 2018; examples embrace info that’s lined by authorized skilled privilege, the supply or receipt of confidential references, and administration forecasting or planning.

Needless to say, requesters usually take challenge with what lies behind the redactions and exemption — whether or not as a result of they assume that the controller is hiding a ‘smoking gun’ or that it speaks to a extra typically perceived lack of transparency. This most frequently seen with DSARs that relate to, or are made by people, in contentious employment conditions (terminations, redundancies, being handed over for promotion, and the like). For his half, Wallace claims that, when offering copies of his private information, the BBC had “wrongly redacted” sure info and had “unlawfully failed to supply all of [his] personal data”.

Lesson: Properly making use of redactions could be troublesome — and getting it mistaken may give the impression that you’re inadvertently withholding private information that needs to be offered. If you could have engaged a vendor to help with the doc evaluation course of, you also needs to contemplate having your exterior legal professionals make — or, on the very least, evaluation — the redactions earlier than the doc packet is shipped to the requester. By distinction, figuring out whether or not and the best way to apply exemptions shouldn’t be outsourced to your contract reviewers, however needs to be dealt with by your inner — or exterior — authorized or compliance crew.

Subscribe to Ropes & Gray Viewpoints by subject here.