top of page

Data Protection Tips

Managing Subject Access Request (SARs) Under UK GDPR: A Practical Guide for UK Organisations

  • Writer: Joe Stock
    Joe Stock
  • Apr 7
  • 4 min read

Subject Access Requests (SARs), also known as Data Subject Access Requests (DSARs), can be a compliance headache for many organisations. Whislt the right for data subjects to request copies of their personal data has been around long before the introduction of the General Data Protection Regulation (GDPR), it feels that more are becoming increasing broader and complex.

Handled well, DSARs demonstrate transparency and accountability. Handled poorly, they expose organisations to ICO complaints, enforcement action, reputational damage, and unnecessary operational strain.


This guide explains how to manage DSARs effectively under UK GDPR, reflecting current ICO guidance, recent legislative changes, and the realities faced by UK organisations today.


What Is a SAR?


A Subject Access Request (SAR) is a request made by an individual to access the personal data a Data Controller holds about them. Under Article 15 of the UK GDPR, individuals have the right to:

  • Confirm whether their personal data is being processed

  • Receive a copy of that personal data

  • Understand how and why it is being used, shared, and retained

A DSAR does not need to mention “GDPR”,  “SAR”, “DSAR”, or “data protection” to be valid. Requests can be made verbally, in writing, via email, contact forms, or even social media channels.


SAR Time Limits Under UK GDPR


UK GDPR sets clear statutory deadlines:

  • One calendar month to respond from the date of receipt

  • The deadline can be extended by up to two further months where requests are complex or numerous

  • The clock can be paused where reasonable clarification is required to understand the scope of a request

The ICO’s guidance is explicit that organisations must act without undue delay, even where extensions apply.


Recent Changes: Reasonable and Proportionate Searches


Data protection law is ever changing, and one helpful update for Data Controllers that came into force through the Data (Use and Access) Act (DUAA) was the ability to undertake reasonable and proportionate searches, rather than exhaustive searches across every possible system. This is especially for those requests from data subjects who request a copy of ‘everything’ held by an organisation.

This means:

  • You are not required to search every archive or legacy system if it would be disproportionate

  • Search decisions must be defensible, documented, and consistent

  • Organisations should focus on systems where relevant personal data is most likely to be held

The burden remains on the controller to justify why a search was reasonable if challenged.


AI‑Generated Outputs Are Now In Scope of SARs


As organisations introduce AI and generative tools, AI‑generated outputs must now be treated as in scope of a SAR under UK GDPR. Personal data includes not only information provided by individuals, but also data that is derived, inferred or generated about them, such as scores, risk ratings, classifications, summaries or predictions produced by AI systems. Where those outputs relate to an identifiable person, they are likely disclosable under Article 15 and must be included in SAR searches. UK organisations therefore need to ensure AI tools are mapped as data sources within SAR processes.


Common SAR Challenges for UK Organisations


In practice, SAR compliance fails most often due to operational issues, not legal misunderstanding.

1. Requests Spread Across Multiple Systems

Personal data often exists across:

  • Email and collaboration tools (Outlook, Teams, Slack)

  • CRM and case management systems

  • HR platforms and shared drives

  • CCTV, call recordings, and AI‑generated summaries

Without a clear data map, organisations lose time identifying where to search.


2. Mixed Third‑Party Data

Many SARs involve emails or documents containing information about multiple individuals. This requires careful redaction and balancing of rights, particularly in employment, NHS, and public sector contexts.


3. Tactical Requests

SARs are increasingly used alongside grievances, litigation, or complaints. This increases legal risk and requires stricter governance, audit trails, and privilege handling.


What Good SAR Management Looks Like

Organisations that manage SARs well tend to have the same foundations in place.


Clear Internal Recognition

Staff know how to recognise a SAR regardless of the channel it arrives through.


Defined Registration

There is a consistent process for:

  • Logging requests

  • Verifying identity (where necessary)

  • Clarifying scope without delaying unnecessarily


Structured Search and Review

Searches are planned, documented, and proportionate. Review and redaction are performed methodically, not reactively.


Secure Disclosure

Responses are issued securely, in an intelligible format, with the required supplementary information.

These expectations are set out clearly in ICO guidance and form part of the accountability principle under UK GDPR.


Consequences of Poor SAR Handling


Failure to manage DSARs effectively can result in:

  • Complaints directly to the organisation (now an explicit right)

  • Escalation to the ICO

  • Enforcement action and monetary penalties

  • Loss of trust with customers, employees, or patients


Building a Sustainable SAR Process


Organisations experiencing repeat SAR issues should move away from ad‑hoc handling and towards a repeatable governance model, including:

  • SAR policies and procedures

  • Defined ownership and escalation paths

  • Data mapping and retention controls

  • Audit‑ready records of decisions and searches

This approach reduces risk, response time, and operational disruption, particularly for scaling organisations and regulated sectors.


Final Thoughts

Iniver supports organisations to manage SARs confidently under UK GDPR, including where personal data is processed through AI and automated systems. Our team have run information rights management operations within national organisations, and we utilise this real-world experience to help clients design proportionate SAR processes, identify AI‑generated personal data, and align responses with current ICO guidance. If you need support reviewing your SAR approach or understanding how AI changes your obligations, speak to Iniver for practical, regulator‑ready advice.


Contact us at hello@iniver.co.uk or understand more about how we can support here

A Complete Guide to the NHS DSPT for HealthTech Companies (and How to Get Support)

  • Writer: Joe Stock
    Joe Stock
  • Mar 11
  • 3 min read

Everything you need to know to meet the 30 June 2026 deadline with confidence.

For organisations that handle NHS data, completing the NHS Data Security and Protection Toolkit (DSPT) is a mandatory self-assessment tool that must be completed annually. Yet for many healthtech teams, the DSPT can feel confusing, time‑consuming, and difficult to navigate without specialist guidance.


This article breaks down the DSPT in clear, practical language and provides step‑by‑step insight into what’s required. If you're a healthtech founder, digital health supplier, NHS partner, or any organisation needing to process NHS data, this guide will help you understand what the DSPT is, how to complete it, and how Iniver can support you.


What Is the DSPT?

The Data Security and Protection Toolkit is a self‑assessment framework that demonstrates your organisation is handling NHS data safely, legally, and in line with national expectations.


It applies to all organisations processing NHS data, from early‑stage healthtech startups to large digital suppliers


Completing the DSPT is essential for:

  • Access to NHS systems

  • Maintaining NHS partnerships

  • Contract renewals

  • Securing new NHS customers

  • Demonstrating trust and compliance to commissioners


DSPT is set against the 10 NHS Data Security Standards. Whilst there is some overlap with the UK General Data Protection Regulation (GDPR), it does not make you in itself 'GDPR Compliant'.


Why DSPT Compliance Matters

Failing to complete the DSPT can lead to:

  • Loss of access to NHS data

  • Blocked integrations or deployments

  • Contract delays

  • Audit findings

  • Reputational risk

  • Barriers to scaling into the NHS market


For healthtech companies, especially those seeking NHS adoption, DSPT compliance signals maturity, trustworthiness, and robust handling of sensitive data.


How to Get Started With DSPT


1. Get an ODS Code & Register

Your first step is registering your organisation on the DSPT portal and obtaining an ODS code.


2. Identify Your Organisation Category

This is important - your category defines how many requirements you must meet.


3. Choose Your Level of Completion

You can either complete:

  • Standards Met (mandatory requirements only), or

  • Standards Exceeded (full completion)

Choosing the right level depends on your risk profile, client expectations, and internal capability.


What’s Involved in Completing the DSPT?

The DSPT assessment is based on 10 key areas of focus, each containing multiple requirements.

These cover areas such as:

  • Governance

  • Training

  • Incident management

  • Technical security

  • Data protection policies

  • Supplier assurance


Some requirements require evidence uploads, while others just need a formal confirmation.


Important for HealthTech Suppliers

If you submit as under the IT Supplier category, you must undergo an independent DSPT audit. This is often the most demanding part for digital health companies.


Audit Oversight

Although DSPT is self‑assessment, NHS bodies may still audit your submission in specific circumstances.


Key DSPT Deadlines & Annual Cycle

  • DSPT must be completed every year

  • The next deadline: 30 June 2026 

  • Requirements change annually, so don’t assume last year’s submission is enough


If you hold Cyber Essentials Plus or ISO 27001, you’ll have fewer DSPT requirements to complete


Why You Should Never Leave DSPT to the Last Minute

The DSPT can take longer than expected, especially if:

  • Evidence needs to be gathered

  • Policies require updating

  • Technical controls need improvement

  • You're submitting as an IT Supplier


You should ideally begin your DSPT review at least two months before the deadline.


How Iniver Helps You Complete DSPT Smoothly

Whether you're a first‑timer, returning submitter, or an organisation needing an independent audit, Iniver provides scalable support packages to get your DSPT completed without stress.


Our DSPT Support Includes:

  • Full onboarding and category selection

  • Gap analysis and action planning

  • Drafting and updating evidence

  • Building or reviewing required policies

  • DSPT portal management

  • Pre‑submission quality checks

  • Independent audit for IT Suppliers

  • Ongoing advice on compliance improvements


We support healthtech companies, NHS‑connected organisations, and digital suppliers at every level of maturity.


Ready to Complete Your DSPT With Confidence?

If you want DSPT done accurately, efficiently, and with an experienced partner, we’re here to help.


Contact Iniver

Email hello@iniver.co.uk, use our 'Contact Us' form or call+44 7356 251 922


✔ Support for first‑time submitters

✔ Reviews for experienced teams

✔ Full audit‑ready completion packages


Let Iniver take the complexity out of the DSPT so you can stay focused on delivering exceptional healthtech innovation. View our packages at here.

Data Protection Requirements for DTAC 2026: A Complete Guide for HealthTech Companies

  • Writer: Joe Stock
    Joe Stock
  • Mar 9
  • 3 min read

Updated: Mar 16


As DTAC Version 2 launches in 2026, HealthTech companies preparing for NHS adoption need a clear understanding of what the updated Digital Technology Assessment Criteria requires, especially around data protection, DSPT, ICO registration, and DPIA obligations. With the NHS simplifying DTAC and reducing duplication across frameworks, strong data‑protection compliance is a key way to support procurement and build trust with NHS organisations.


What Is DTAC? (Digital Technology Assessment Criteria)

The Digital Technology Assessment Criteria (DTAC) is the NHS’s baseline framework for evaluating whether digital health technologies are safe, secure and suitable for use across health and social care settings. DTAC covers five key areas:

  • Data Protection

  • Clinical Safety

  • Technical Security

  • Interoperability

  • Usability & Accessibility

For HealthTech innovators, DTAC acts as the gateway to NHS adoption, ensuring products meet national expectations around information governance, risk management and responsible data handling.


How Do You Become DTAC “Approved”?

There is no national DTAC certification scheme. Instead, each NHS organisation evaluates DTAC submissions locally, and your approval depends on the clarity and completeness of the evidence you provide.


NHS England has also confirmed it does not endorse third‑party DTAC certification schemes, meaning HealthTech companies should prioritise genuine compliance rather than paid “badge‑based” services.


DTAC 2026 Data Protection Requirements: What HealthTech Companies Must Provide

Data protection is one of the most heavily weighted sections of DTAC. Below is a breakdown of every requirement HealthTech suppliers must meet, rewritten for clarity and optimised for the search terms digital health teams commonly use.


C2.1 – DSPT Compliance (Data Security and Protection Toolkit)


You must confirm whether you meet the DSPT (Data Security and Protection Toolkit) standards if your product will access NHS systems or process NHS data. DSPT is a mandatory self‑assessment for any organisation handling NHS information and sits alongside DTAC as a core compliance requirement.


C2.2 – Personal Data Processing

You must clearly state whether your product processes personal data, including data relating to deceased individuals. This must also include any processing carried out by sub‑processors, ensuring full transparency across your data supply chain, a critical expectation for NHS digital compliance.


C2.2.1 – ICO Registration

You must provide evidence of your Information Commissioner’s Office (ICO) registration.


C2.2.2 – Data Protection Impact Assessment (DPIA)

You must submit a Data Protection Impact Assessment (DPIA) covering your product or service. This helps NHS organisations understand your risk‑mitigation strategies, your lawful basis for processing (where applicable), and how you safeguard user or patient data throughout the product lifecycle.


C2.2.3 – Transparency Information

You must include your Privacy Notice or equivalent transparency documentation. This should clearly explain what data you collect, why you collect it, and how you use it.


C2.2.4 – Product Terms and Conditions / EULA

You must supply the relevant Terms & Conditions or End User Licence Agreement (EULA) outlining how user data is processed. If your product does not process personal data, you must explicitly state this and provide justification.


C2.2.5 – Data Storage and Processing Locations

You must confirm where all data, including any third‑party processing, is stored and handled. This is essential for NHS due diligence, as data residency and jurisdictional risk assessments form part of every NHS procurement workflow.


C2.2.6 – Overseas Processing

If any personal data is stored or processed outside the UK, you must name each country and explain how the transfer complies with UK GDPR, such as:

  • Adequacy regulations

  • International Data Transfer Agreements (IDTAs)

  • Appropriate contractual safeguards

This is especially relevant for cloud‑based HealthTech products and digital therapeutics.


Beyond DTAC: What HealthTech Companies Should Prepare For

While DTAC provides the baseline, many NHS organisations require more robust evidence across information governance, cyber security and clinical safety. Completing the DTAC data protection requirements does also not mean you are 'GDPR Compliant'. HealthTech teams should ensure they have:

  • A comprehensive, documented data‑protection programme

  • Strong technical security controls

  • A clear data‑flow map and information governance programme

  • Updated DPIAs, RoPAs and sub‑processor lists

  • A Data Protection Officer where required by law

For early‑stage or scaling HealthTech companies, preparing this evidence proactively can significantly accelerate NHS procurement discussions and reduce administrative friction.


How Iniver Supports HealthTech With DTAC and Data Protection

At Iniver, we support HealthTech companies to implement and manage data‑protection programmes that not only satisfy DTAC and DSPT, but also improve trust, transparency and NHS adoption speed. Whether you need help with your DPIA, Outsourced Data Protection Officer , DTAC Version 2 questions, or broader data‑protection strategy, we can help you become NHS‑ready with clarity and confidence.


Read more about we support HealthTech organisations here

bottom of page