Data Protection Network
CONTACT US
NEWSLETTER

Who should manage responding to DSARs?

Philippa Donn
June 2026

Is it an appropriate task for a Data Protection Officer?

Organisations receiving a significant volume of Data Subject Access Requests often have a dedicated team responsible for handling them, with the DPO monitoring compliance standards and perhaps stepping in to advise on trickier cases.

However, in organisations where there isn’t a specific team to call on, DSARs can often fall squarely in a lonely DPO’s lap to fulfil, or perhaps whoever may have loosely been given responsibility for data protection.

But should it be the DPO’s job? And if you don’t have a DPO, who is best placed to ‘do the doing’? Who should sift through the reams of gathered information, apply the redactions, liaise with the requester and send the response?

Are DSARs the DPO’s job to do?

There can be an assumption DSARs are part of the DPO’s job. So, I was interested to see the question of who should ‘do the doing’ popped up in the 2025 annual report from Germany’s Broadcasting Data Protection Officer (Rundfunkdatenschutzbeauftragte). Nice catchy name. The position this authority takes serves as a reminder to any organisation of three key points under GDPR and UK GDPR:

A DPO’s role is to inform and advise on data protection, and to monitor compliance.
Handling privacy rights is not one of a DPO’s official tasks.
Additional tasks can be assigned to a DPO as long as this doesn’t lead to a conflict of interest.

The Rundfunkdatenschutzbeauftragte says part of the DSAR process can be an official task of the DPO, but the rest is beyond the scope of their official role. They conclude:

Reviewing and sending the information which needs to be provided to the data subject in response to an access request, can be conducted by the DPO in their capacity as a DPO. This can form part of their duty to monitor and verify the completeness of the information.
Other activities assigned to the DPO should be structured in such a way that the DPO doesn’t conduct them in their capacity as a DPO, and which ensures their independence is not compromised.

Essentially a DPO has official tasks (as set out in GDPR/UK GDPR) but can always be assigned other activities alongside these legally defined tasks. I know plenty of DPOs in smaller organisations who wear a number of hats. What the German DPA is saying in relation to DSARs is activities which go beyond ‘monitoring compliance’ (and we could extend this to providing advice) shouldn’t be conducted in their capacity as a DPO.

This is could be open to debate, but what I’d say is it shouldn’t be automatically assumed responding to DSARs are the DPO’s responsibility. Fulfilling requests is the organisation’s responsibility, and the organisation should make sure there are people with the experience to respond to requests. If appropriate DPOs can get stuck into the process, but this isn’t part of their formal role.

Who else can ‘do the doing’?

There are no rules on who should respond to DSARs. Essentially anyone in the organisation, who has suitable skills and knowledge can take them on. I know organisations where the HR team routinely handles employee related requests, which can make a lot of sense.

Avoid over-reliance on just one person

Try and make sure there’s more than one person who knows what they’re doing – even in smaller organisations. There are plenty of good reasons to do this, such as;

■ The ‘main’ person being on leave is no excuse for not fulfilling a request within the statutory timescale, so you need at least one other person who is trained up and can pick up the reins.
A conflict of interests could arise when the person responsible for fulfilling requests is ‘too close’ to the individual making a request. For example, a member of their team or someone they otherwise work closely with, submits a DSAR. This absolutely can happen. Is it appropriate for someone to be deciding whether what they’ve said in an email or written in a report about a colleague, should be disclosed or not. Methinks not.
If just one person does everything, mistakes can be made without another pair of eyes at least reviewing what’s about to be sent out.

From all quarters I’m hearing of an increase in the volume and complexity of DSARs. I wrote recently about the scourge of AI generated requests. It’s becoming ever more important to be well-prepared, to have an efficient and robust procedure, as well as knowledgeable members of staff who have a good understanding of how they should be fulfilled. This might be your DPO if you have one, or your HR manager, but it would be good idea to make sure they have back up.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN

The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Related Articles

Data Subject Access Request Guide

The nuts and bolts of DSARs. An essential guide for how to be prepared and how to fulfil the fundamental Right of Access...

Managing Employee DSARs

Key considerations when handling Data Subject Access Requests from employees - especially when other matters are ongoing

How to prevent DSAR complaint escalation

39% of complaints received by the ICO relate to DSARs. Top tips on handling requests effectively and preventing complaint escalation

Data Subject Access Requests and Proof of ID

Data Subject Access Requests - what's reasonable to request to verify someone's identity? What different approaches can you take?
Data Protection Network