What challenges do charities face when handling DSARs?

Charities often collect and process large amounts of personal data – names, phone numbers, email addresses, financial information, you name it. This is a completely natural and integral part of their day-to-day operations. Sensitive information is collected from individuals across their network, including donors, beneficiaries, volunteers, and employees. That’s a lot of people. Which also means… that’s a lot of data subjects. In case you’re unfamiliar, the UK GDPR grants individuals the right to submit a Data Subject Access Request (DSAR) to any organisation that processes their personal data, primarily for a copy of that data. Although DSARs are a critical component of the legislation, charities face a number of unique challenges in complying with them.

What resource constraints do charities have?

Many charities have tight budgets and small teams, often relying on volunteers. Handling DSARs demands time, expertise, and administrative effort, which can put quite a strain on already limited resources. The law mandates that DSARs are responded to within one month (with extensions for particularly complex requests), meaning that charities must act quickly despite these constraints. This can make it difficult for them to allocate the necessary resources to respond to DSARs promptly and efficiently, pulling staff away from the day-to-day operations and core mission of the charity.

Identifying and retrieving data

As we mentioned at the beginning, charities collect data from a range of people, with information coming from various sources such as online donations on websites, CRM systems, email lists, and volunteer applications. When records are stored in different formats or locations, it can be challenging to accurately identify and retrieve the personal data of a data subject.

Many charities rely on volunteers and external support to carry out their operations, meaning both capacity and capability play a significant role in exposing potential risks associated with responding to a DSAR. Charity teams may not always have the experience or expertise needed to identify and export relevant data or conduct eDiscovery effectively. These factors can create additional hurdles, leading to unwanted delays in fulfilling DSAR requests.

This challenge becomes even more complex when charities receive DSARs from current or former employees. Without adherence to required and sensible retention periods, organisations may be left with vast amounts of historical data to sift through, sometimes spanning years. Extracting this data requires either manual review or the use of an eDiscovery tool to remove duplicates and identify relevant information. However, eDiscovery tools can be costly, making them inaccessible for smaller charities. As a result, staff members may have to manually review large volumes of data, significantly increasing the time and resources required to fulfil the request while also heightening the risk of errors or inadvertent data breaches.

What makes redacting third-party data complicated when handling DSARs?

Redacting third-party data can be particularly challenging for charities, as they often handle information that includes details about multiple individuals, such as group emails or case notes. Many charities also process special category data, which increases the risks associated with errors in DSAR responses. Failing to properly redact third-party information could result in a data breach, leading to serious compliance and reputational risks.

When responding to a request, it is essential to protect the data of all individuals involved while still upholding the requester’s rights. However, charity teams may not always have the necessary expertise or tools to efficiently identify and redact third-party data while maintaining the context of the information. Ensuring that only the requester’s personal data is disclosed, without compromising others’ privacy, can be a delicate and time consuming balancing act.

Legal exemptions and complex requests

Fulfilling a DSAR can be challenging when the request is unclear, overly broad, or difficult to interpret. If a requester is vague about what information they need, charities can ask them to clarify their request. However, if no clarification is provided, the charity must still make every effort to conduct a reasonable and proportionate search for the data. This can be particularly difficult for charities with limited resources or those relying on volunteers.

Additionally, not all requested data can be disclosed. Legal exemptions may apply in cases where information includes third-party data or is subject to legal privilege, to name a few. These exemptions require careful consideration, and charities must ensure that any decision to withhold information under an exemption is supported by documented reasoning.

Balancing these responsibilities while ensuring compliance with legal obligations can make responding to DSARs a complex and time-consuming process.

Keeping up with changing legislation

Data protection legislation and ICO guidance do evolve over time, making it challenging for charities to stay informed and adapt their practices accordingly. Keeping up with these changes is crucial because failure to do so can result in non-compliance, which exposes charities to risks such as fines, reputational damage, loss of donor trust, legal action, and potential harm to the individuals whose data is mishandled.

How should charities handle DSARs?

There are several solutions to these problems that we’d suggest.

 

  • Clear internal policies and procedures: Firstly, we’d recommend promoting a culture of accountability by developing and implementing clear internal policies and procedures specifically for handling DSARs. These should clearly outline roles and responsibilities, response timelines, and escalation procedures to make sure requests are dealt with promptly and effectively.

 

  • Comprehensive data retention periods: We regularly speak with charities that encounter significant challenges when handling employee DSARs due to poor data retention practices. In some cases, the absence of clear email retention policies has resulted in organisations having to sift through vast amounts of data, sometimes as much as 100GB, just to locate relevant information for an ex-employee’s request. This not only creates a massive administrative burden but also increases the risk of unnecessary data exposure. To avoid such issues, it is essential to establish and enforce clearly defined retention periods for emails and other records in line with legal requirements. Data should only be retained for as long as necessary, after which it must be securely deleted. Holding onto excessive, outdated, or unnecessary data not only complicates DSAR responses but can also lead to other compliance risks. Implementing a robust data retention policy ensures that information is managed efficiently, reducing the workload when responding to DSARs while also strengthening data security and compliance.

 

  • Comprehensive staff training: You know what they say: knowledge is power. Ensure all staff and volunteers are properly trained on GDPR compliance, data protection principles, and the correct procedures for identifying and redacting third-party information. Need a provider? Well, search no longer. You can find out more about our training courses here.

 

  • Data management: An organised approach to data management not only streamlines daily operations but also ensures compliance with data protection laws. It allows charity teams to quickly access relevant information when responding to requests, such as DSARs, and ensures that personal data is kept secure and appropriately categorised. This system also supports auditing, reporting, and other essential activities that help charities demonstrate their commitment to good data protection practices. Ultimately, staying organised isn’t just about efficiency, it’s key to maintaining trust with donors and beneficiaries.

 

  • Regular audits and reviews: Make sure you’re checking in regularly, auditing and reviewing your DSAR processes to identify areas for improvement and ensure you’re always meeting your data protection obligations. This way, any risks can be identified and mitigated sooner rather than later.

 

  • Use templates: Use templates as a basis to efficiently respond to DSARs. This will not only speed up the process but also minimises errors and ensures consistency when communicating with the requester. This makes everybody’s life a lot easier!

 

  • Record keeping: Keep accurate records of all DSARs received, including the date of the request, details of the request, communications with the requester, and searches conducted. It’s also wise to document your decision making process in case of any future challenges. A DSAR log is strongly recommended.

 

  • Consult with a data protection professional: When in doubt, ask an expert! Working with a data protection professional to assist and advise on your data protection practices not only ensures that you’re compliant with relevant laws and regulations, but also means your team can remain focused on your organisation’s core mission and activities. Responding to DSARs can be a time consuming process that can divert essential resources away from fundraising, service delivery, and program implementation. By outsourcing to a data protection professional, you can free up valuable time and resources. If you’re looking for experts to help you out, you’re in the right place! You can find out more about our DSAR processing and redaction services here.

 

  • Consult the ICO’s guidance: To ensure that you’re always compliant, consult the ICO’s guidance on exemptions and stay informed by subscribing to ICO updates. This is one of the best ways to be in the loop without having to do lengthy research too often.

 

At DPAS, we recognise how important the work that charities undertake is. If you need assistance with policies and procedures or need support from a DSAR expert, just get in touch with us. Whatever you need regarding DSARs, you can count on DPAS.

 

Written by Sophie Costain (Subject Access Requests Officer)

related posts

Jack Penaligon

How to Respond to a Data Breach: A Practical Guide

This blog provides an overview of the practical steps organisations can take to reduce the impact of a data breach once it has been identified. It focuses on the actions that should be taken during the early stages of an incident to contain the breach, protect affected individuals, and meet regulatory requirements.

The article discusses a range of mitigation measures, including contacting unintended recipients of personal data, securing the deletion or recovery of exposed information, isolating compromised systems, and maintaining clear records of actions taken. It also explores the challenges posed by both digital and physical data breaches, highlighting the importance of balancing operational needs with data protection obligations.

Finally, the blog emphasises the value of preparation, explaining how established procedures, communication templates, and predefined response plans can help organisations respond more effectively and demonstrate accountability during a regulatory investigation.

Read More »
Noah de Wild

How to Assess a Data Breach: A Practical Guide

This blog explains how to assess a data breach by identifying its cause, determining what information was exposed, and evaluating the potential impact on affected individuals and the organisation. It outlines common causes of breaches, the importance of understanding the type and scale of compromised data, and how assessing the timeline of an incident can help businesses respond effectively, meet legal obligations, and reduce long-term risks.

Read More »
Noah de Wild

Don’t Panic: A Pragmatic Guide to the June 2026 Enforcement of the Data (Use and Access) Act Changes

With the June 19, 2026 enforcement of the Data (Use and Access) Act approaching, ensuring your business is compliant doesn’t have to be complicated or expensive. In our latest guide, we break down exactly what the new data protection complaint rules mean for you. Cut through the noise and discover our simple, free six-step checklist to update your protocols, designate handlers, and keep your business confidently compliant.

Read More »

Get a Free Consultation