A practical guide to handling DSARs efficiently and compliantly, addressing the unique challenges insurance firms face with complex multi-system data estates.
Data Subject Access Requests are one of the most operationally demanding aspects of UK GDPR compliance for insurance firms. Policyholders, claimants, and former customers have the right to obtain confirmation of whether their personal data is being processed, a copy of that data, and supplementary information about how it is used — all within one calendar month.
Insurance firms face particular complexity because policyholder data is typically spread across multiple systems: policy administration platforms, claims management systems, document management repositories, email archives, and third-party processor systems. A single DSAR may require searching dozens of data sources and coordinating responses from brokers, loss adjusters, and outsourced service providers.
The ICO reported a significant increase in complaints about DSAR handling in the financial services sector during 2024, with late responses and incomplete disclosures among the most common failings. Firms that rely on manual search-and-collation processes frequently exceed the one-month deadline, exposing themselves to ICO enforcement action and reputational damage.
Effective DSAR handling requires a combination of clear procedures, efficient search capabilities, and well-defined roles. Insurance firms need to establish a centralised DSAR management process that can identify, retrieve, review, and disclose personal data from across their entire data estate within the statutory timeframe.
Key to meeting the deadline is reducing the time spent on each phase of the process. Automated identity verification, pre-configured system searches, templated response letters, and workflow-driven review processes can compress what would otherwise be weeks of manual work into days.
Equally important is understanding the exemptions available to insurance firms. The DPA 2018 provides specific exemptions relevant to insurance, including for legal professional privilege, management forecasting, and — critically — for data processed for the purposes of prevention or detection of crime, which may apply to fraud investigation files.
Follow this structured process to handle every DSAR consistently and within the statutory deadline.
A DSAR can be made verbally or in writing, in any format, and does not need to reference the UK GDPR or use the term "subject access request." Train all customer-facing staff to recognise DSARs. Log every request immediately in your central DSAR register with the date received — this is when the one-month clock starts. Assign a unique reference number and designated handler.
Before disclosing any personal data, verify that the requester is who they claim to be. For existing policyholders, you may be able to verify identity through their account details or security questions. For former customers or third-party requesters, you may need to request identity documentation. Do not use identity verification as a delay tactic — the ICO expects proportionate measures.
If the request is broad or unclear, you may contact the requester to clarify what information they are seeking. This is particularly useful for insurance DSARs where the individual may have multiple policies, claims, or interactions over many years. However, you cannot refuse to act simply because the request is broad — if the requester does not narrow it down, you must process it as received.
Conduct a thorough search across all systems that may contain the requester personal data. For insurance firms, this typically includes: policy administration systems, claims management systems, CRM platforms, email and correspondence archives, document management systems, telephony recordings, and any third-party systems operated by brokers or outsourced processors.
Review the retrieved data carefully to identify any information that is exempt from disclosure. Key exemptions for insurance firms include: legal professional privilege (Schedule 2, Part 5, Paragraph 19 DPA 2018), data relating to management forecasting or planning (Schedule 2, Part 5, Paragraph 22), crime prevention and detection (Schedule 2, Part 1, Paragraph 2), and third-party personal data that cannot be disclosed without the third party consent or where it would be unreasonable to do so.
Insurance files frequently contain personal data of third parties — other policyholders, claimants, witnesses, or employees. You must redact this information unless the third party has consented to disclosure or it is reasonable in all the circumstances to disclose without consent. Apply consistent redaction and maintain a record of what was redacted and why.
Prepare the response package including: confirmation that you process the individual personal data, a copy of the personal data in an intelligible format, the supplementary information required by Article 15 (purposes, categories, recipients, retention periods, rights, source of data, automated decision-making). Send the response securely, using encrypted email or a secure portal where possible.
Log the response date, method of delivery, and a summary of what was disclosed and what was exempted or redacted. Retain a copy of the response and your decision log for at least two years in case of ICO complaint or investigation. Update your DSAR metrics for management reporting.
Route all DSARs through a single point of management, whether that is your DPO, a dedicated privacy team, or a compliance function. Decentralised handling leads to inconsistent responses, missed deadlines, and incomplete searches.
Use automated calendar alerts to track the one-month deadline for every DSAR, with escalation triggers at 14 days and 7 days remaining. Factor in the possibility of a one-month extension for complex requests, but only use this where genuinely justified.
Agree DSAR cooperation procedures with your key processors in advance, not when a request arrives. Include DSAR response timelines in your data processing agreements, requiring processors to return data within a specified number of working days.
When withholding data under an exemption, record the specific exemption relied upon, the data withheld, and your reasoning. The ICO may require you to justify your exemption decisions, and contemporaneous records are far more persuasive than retrospective explanations.
Respond in a commonly used electronic format such as PDF, and structure the data logically by source system or data type. Avoid sending raw database exports that the individual cannot interpret. The ICO expects responses to be intelligible to a lay person.
If you receive repeat DSARs from the same individuals or about the same types of data, investigate whether there is an underlying transparency issue that could be resolved by improving your privacy notices or data access self-service options.
All staff who interact with customers can identify and escalate a DSAR appropriately.
Single point of management for all DSARs with automated logging and deadline tracking.
Pre-prepared list of every system and data repository to search for each DSAR.
Clear process for verifying requester identity without using verification as a delay mechanism.
Documented guidance on insurance-relevant exemptions with practical examples.
Data processing agreements include specific timelines for processors to return DSAR data.
Pre-drafted templates covering common insurance DSAR types, customisable for each case.
Try these related tools — no sign-up required.
A comprehensive guide to meeting your data handling responsibilities under the UK GDPR, tailored specifically for insurers, brokers, and MGAs.
data protectionWhat to keep, when to delete, and how to balance UK GDPR storage limitation with FCA record-keeping and long-tail claims obligations.
fca complianceA definitive guide to meeting FCA record-keeping obligations under SYSC 9, COBS, ICOBS, and DISP — with practical retention schedules and storage recommendations.
SwiftCase automates DSAR workflows with centralised logging, deadline tracking, multi-system search coordination, and audit-ready response records — helping you hit the 30-day deadline every time.
