How to Respond to an Employee DSAR Under UK GDPR

Employee Data Subject Access Requests (DSARs) have a bit of a reputation.

They usually show up at the worst possible time — during a redundancy, after a grievance, or when someone’s already frustrated. They come with a legal deadline, can be wide in scope, and they tend to make everyone slightly nervous.

But here’s the thing: an employee DSAR doesn’t have to feel dramatic.

If you understand what’s required (and what isn’t), responding to an employee DSAR becomes much more manageable.

What Is an Employee Data Subject Access Request?

Under UK GDPR, employees have the right to access their personal data. An employee DSAR is simply the formal way they exercise that right.

When someone submits a DSAR, they are asking for:

• Confirmation that their personal data is being processed
• A copy of that personal data
• Information about how and why it is being used

That’s it.

The regulation is clear. The complexity usually comes from the context — not the law itself.

In practice, employee DSARs often arise during:

• Redundancies
• Grievances
• Disciplinary procedures
• Settlement discussions

While emotions may run high, the compliance task remains the same: Identify the employee’s personal data and provide it, alongside the required supplementary information.

Why Employee DSARs Feel Harder Than They Should

There are a few reasons these requests tend to feel heavier than other types of data subject access requests.

1. Employee data doesn’t live in one tidy folder. It’s spread across HR systems, email inboxes, Slack or Teams channels, shared drives, meeting notes, and increasingly AI-generated transcripts or summaries. The modern workplace produces a lot of information, and much of it is discoverable.
2. Employee DSARs are often detailed. It’s not unusual to receive a request covering multiple years, specific managers, redundancy documentation, internal communications and messaging platforms. Even when the scope is clearly drafted, gathering the relevant data requires coordination.
3. The one-month DSAR deadline under UK GDPR moves quickly once you’re into the review stage. Searching is one part of the process. Reviewing, redacting and preparing the response is usually where the real time goes.

What Counts as Personal Data in an Employee DSAR?

A common question is what actually needs to be disclosed in an employee DSAR.

Under UK GDPR, personal data is any information relating to an identifiable individual. In an employment context, that can include:

• Personnel files and contracts
• Performance reviews and appraisal notes
• Redundancy selection documents
• Internal emails discussing the employee
• Messages on collaboration platforms where the employee is discussed
• Meeting notes or summaries
• AI-generated outputs that contain their information

It’s not limited to formal HR records. If the information relates to the employee and they can be identified from it, it may fall within scope.

That said, disclosure isn’t unlimited. Third-party personal data must be protected, and legally privileged advice can be withheld. The aim is to provide the employee’s personal data in a way that is accurate and proportionate.

How to Respond to an Employee DSAR: A Step By Step Approach

The easiest way to approach an employee DSAR is to break it into stages.

Step One: Verify and clarify

Confirm the identity of the requester and, if applicable, the authority of any solicitor acting on their behalf. If the request is unclear or unusually broad, it’s entirely reasonable to seek clarification before proceeding.

Step Two: Identify where the data lives

You are required to carry out a reasonable and proportionate search. That means reviewing systems where personal data about the employee is likely to exist. HR platforms, email accounts, collaboration tools and shared drives are the obvious starting points.

If work-related decisions or discussions about the employee have taken place via messaging apps or AI tools, those sources should be considered as well. The deciding factor isn’t the platform — it’s whether personal data was processed there in the course of business activity.

Step Three: Collate, review and redact

This is often the most time-intensive stage. Personal data within scope must be gathered and reviewed carefully. Third-party information may need to be redacted, and any exemptions should be applied consistently and documented.

Over-redaction can cause issues, but so can disclosing too much. The key is balance.

Step Four: Provide the supplementary information

Your response must also explain the purposes of processing, categories of data, retention periods and, where relevant, any automated decision-making.

Approached step by step, the process is methodical rather than overwhelming. 

What Is and Isn’t In Scope of an Employee DSAR?

One of the biggest areas of confusion with employee DSARs is scope.

Employees are entitled to their personal data. That doesn’t automatically mean every document that they’re mentioned in needs to be disclosed in full.

In scope will generally include information that relates to the employee and from which they can be identified, such as performance reviews, redundancy scoring, internal communications discussing their role or conduct, and meeting notes about them.

Out of scope, or potentially exempt, may include:

• Information that does not relate to them personally
• Third-party personal data (unless it can be reasonably redacted)
• Legally privileged advice
  
  
• Management planning documents that do not directly relate to the individual
• Information that falls within specific UK GDPR exemptions

Draft documents can fall within scope if they contain the employee’s personal data. The fact that something is “internal” doesn’t automatically exclude it.

The test is always the same: does this information constitute personal data about the individual, and are there lawful grounds to withhold it?

Being clear about scope at the outset can significantly reduce over-disclosure and unnecessary anxiety.

​​Can You Extend the One-Month DSAR Deadline?

In some cases, yes.

Under UK GDPR, you can extend the response deadline by up to two additional months if the request is genuinely complex. But it’s worth being clear about what “complex” actually means.

A long or wide-ranging DSAR isn’t automatically complex. Volume on its own isn’t enough. What matters is the nature of the work involved in responding properly.

Complexity is more likely where particularly sensitive personal data needs careful review, where specialist legal advice is required to assess what can be disclosed, where information about a child is being requested by a parent or guardian, or where extensive redaction or accessibility adjustments are needed before the data can be shared.

If you do rely on an extension, you must inform the individual within the original one-month period and explain clearly why additional time is needed.

Extensions are there to ensure a careful and compliant response. They’re not a fallback for internal delays or disorganisation.

Do WhatsApp Messages and AI Tools Fall Within the DSAR Scope?

This comes up frequently.

If work-related personal data about the employee has been processed via WhatsApp, Slack, Teams, email or AI meeting software, it may fall within scope of an employee DSAR. The question isn’t which platform was used; it’s whether the organisation processed personal data about the individual there.

This is why governance around collaboration tools and AI usage is increasingly important. The clearer your internal rules are, the easier it is to respond confidently.

Making Employee DSARs Less Disruptive

Often, the stress around employee DSARs reveals something broader — unclear ownership, outdated data registers, inconsistent retention practices, or processes that aren’t quite as structured as they could be.

And sometimes, the hardest part isn’t gathering the data, it’s knowing how to respond.

That’s exactly why Trust Keith has put together a set of DSAR response email templates, designed to help you respond confidently whether a request is completed in full, completed in part, or refused with proper explanation.

If you’d like a clearer starting point for your next employee DSAR, you can download the templates below.