Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Companies Face Rise in Customers Wanting to Know How Their Data Is Being Used in 2021

Published by linker 5

Posted on January 28, 2021

5 min read

Last updated: January 21, 2026

Add as preferred source on Google

2021 (7)

By Lenitha Bishop, Head of DPOs, The DPO Centre.

The number of data subject access requests (DSARs) that UK companies will receive from clients and suppliers is set to increase considerably in 2021 according to the latest UK Data Protection Index results which highlighted there has already been a 66% increase in the average number of DSARs received since July 2020. Many companies are already struggling to adhere to data compliance obligations and Covid-19 has undoubtedly increased the pressure.

What is a DSAR?

The implementation of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 has seen a significant number of individuals (data subjects) invoking their rights provided to them by these laws. These include the right of access (known as a Data Subject Access Request or DSAR), the right to be informed, the right to erasure, the right to object, etc.

For many organisations, it is DSARs that are the most common of these rights to be exercised and sometimes the most onerous to fulfil, especially given the strict response times that must be adhered to.

Your customers have the right to know if and how your organisation is processing their personal data, and if so, to be provided with a copy of such personal data, along with other supplementary information regarding the nature and scope of the processing. Whilst the latter of which should form part of your privacy policies/notices, the provision of copies of personal data can pose its own problems. Responding to DSARs can be time very consuming for organisations and in most cases they have only one calendar month to respond to the request.

It is important that such requests are handled fairly, ensuring that the application of these rights do not undermine other obligations on you, such as preserving the data protection or privacy rights of third parties, preserving any confidential duties, ensuring compliance with law enforcement activity, social work and so on.

Providing copies of a data subject’s personal data can often create further challenges and questions, such as:

What if their personal data was provided to you in confidence, such as from a confidential informant?
What if their request is going to be time consuming or particularly voluminous?
What if someone else is requesting the data on behalf of the data subject?
What if the data identifies other staff or staff from other stakeholders?

These are just some of the considerations that need to addressed as part of your company DSAR response.

The rise of DSARs amongst employees

Lenitha Bishop

Lenitha Bishop

The increase is likely due in part to employees becoming more ‘data savvy’ in requesting details of all the data an employer is holding on them. This may lead to more companies facing additional responsibilities and costs, which could be exacerbated further by the current business climate, for example, if an organisation decides to make employees redundant as a result of Covid-19 and those employees submit DSARs in an attempt to understand the data behind the decisions, sometimes as a precursor to claims and tribunal action.

Increasing rise of customers asking how your business is handling their data

The rise is not solely due to employees, clients and customers are also becoming more aware of their data rights and have more time to submit a DSAR, whilst working from home.

A separate consumer study by The DPO Centre revealed that six million UK adults² have considered submitting a DSAR after feeling that a company had mishandled their personal data. Those aged between 18 and 34 years old are most likely to have considered submitting a DSAR (20%) compared to those aged 35-54 (14%) and 55+ (4%). The two studies combined indicate that companies can expect to see a big increase in DSARs in 2021, therefore companies need to have the right procedures in place to minimise disruption.

Seven steps companies can take when handling customer data

Be open and honest about the personal data you collect and how it is used. Publish these details in your privacy notice
Ensure your privacy notice is reviewed regularly and kept up to date
Make it simple for data subjects to exercise their rights under data protection law by providing them with an easy way to contact you
Respond to data subjects’ rights requests without undue delay and within the statutory timescales, usually one month from receipt
Take a proactive approach to safeguarding data subjects’ rights by employing data protection by design and default (‘privacy by design’) principles when introducing new technology and processes
With Brexit now behind us, companies need to understand the potential ramifications of the UK failing to receive an adequacy decision by June 2021 and how they can ensure international dataflows can continue
If you process data on EU residents, but you do not have a presence in the EU, you may be legally required to appoint a Representative within the EU.

DSARs can be complex by their nature. If your organisation receives a DSAR and you are unsure of how to process it, it is important that you seek further advice or guidance from a Data Protection Officer (DPO) or advice from a privacy specialist. The DPO Centre has published a comprehensive white paper on the subject that can be downloaded by visiting www.dpocentre.com/dsar-whitepaper/

Data references

¹ The UK Data Protection Index (organised by The DPO Centre and Data Protection World Forum) is published quarterly and offers a unique picture of the Data Protection Officer profession and its evolving views over time. If you would like to join the panel please visit www.thedpindex.com.

² Research conducted by Opinium Research, 13-17 November 2020 based on a Nationally representative weighted sample among 2,000 adults in the UK. 11% (229/2000) of the 52,673,000 million of UK adult population = 6,031,059