<aside>
🧑⚖️
The legal mechanics of DSARs (what they are, time limits, exemptions, fees) can shift, so always check the ICO website for the current legal position. What follows is a mini-playbook for navigating the moment as a People Leader, not a legal reference.
</aside>
1️⃣ The First 24 Hours
- Log it immediately. Note the date received, this is what starts your statutory clock. Don't rely on memory or a buried email.
- Tell legal/your exec sponsor straight away. Even if it looks simple. You want them aware before it becomes urgent, not after.
- Don't start digging through Slack or email yet. Scope first (see Section 3), search second. Ad hoc searching wastes time and risks missing things.
- Don't tell the requester's manager yet unless you already know why the request landed. See below.
2️⃣ Reading the Room
DSARs rarely arrive out of nowhere. They usually show up alongside something else, and that context should shape how carefully and calmly you handle the process, not whether you comply.
Common triggers:
- A grievance has just been raised or is about to be
- The person is on, or about to go on, a PIP
- A redundancy or restructure is in motion
- An exit has gone sour, or they've just been dismissed
None of this changes your legal obligation. But it tells you how much scrutiny this request will get, and whether you need legal support closer to the process from day one.
3️⃣ Scoping Before You Search
Work out where this person's data actually lives before you go looking: