The DPO’s Guide to "Reasonable and Proportionate" Searches: What the 2025 Act Actually Means

The DPO’s Guide to "Reasonable and Proportionate" Searches: What the 2025 Act Actually Means

Regulatory Deadline & Efficiency
February 23, 20264 min read

For years, UK Data Protection Officers (DPOs) have operated under the spectre of the "fishing expedition"—the deliberately vague Data Subject Access Request (DSAR) designed to force a company into an exhaustive, highly expensive data retrieval exercise. Until recently, the legal framework heavily favoured the data subject, compelling organisations to turn over every digital stone, regardless of the administrative burden.

However, the regulatory landscape has decisively shifted. With the implementation of the Data (Use and Access) Act 2025 (DUAA), the UK government has formally codified the standard of the "reasonable and proportionate" search.

For privacy and legal teams, this legislative update provides a vital shield against weaponised DSARs. But what does "reasonable and proportionate" actually mean in practice, and how can organisations leverage this standard without falling foul of the Information Commissioner’s Office (ICO)?

The End of the Exhaustive Search

Under the previous interpretation of the UK GDPR, data controllers often felt pressured to search live systems, archived databases, disaster recovery backups, and individual employees' local hard drives to satisfy a single DSAR.

The DUAA explicitly curtails this expectation. The new legislation states that a data controller is only obliged to make efforts to find personal data that are "reasonable and proportionate" to the request. In practical terms, this means DPOs must now balance the fundamental rights of the individual against the sheer cost, time, and technical difficulty of extracting the data.

If an ex-employee requests all correspondence mentioning their name, you are expected to search standard repositories like their active email inbox, their manager's communications, and primary HR systems. You are not automatically expected to pay thousands of pounds to restore legacy backup tapes from five years ago, especially if the data retrieved is highly unlikely to provide any new or meaningful insight to the data subject.

Codifying "Stop the Clock"

Alongside the proportionate search standard, the DUAA has formally codified the "stop the clock" mechanism. This is perhaps the most powerful administrative tool now available to UK privacy teams.

Previously, the 30-day statutory deadline began ticking the moment a DSAR was received, even if the request was impossibly vague (e.g., "send me everything you have on me"). Now, if a controller genuinely requires more information to conduct a reasonable and proportionate search, they can pause the timeline.

If you receive a sprawling request spanning multiple decades and departments, you are legally entitled to ask the data subject to narrow the scope—perhaps to specific date ranges, specific departments, or specific incidents. The statutory clock does not restart until that clarification is provided.

Documenting Your Proportionality Test

The ICO will not simply take your word that a search was disproportionate; you must provide evidence. When deciding not to search a specific system, DPOs must formally document their rationale.

A robust proportionality assessment should evaluate:

  • The nature of the data: Is the requested information particularly sensitive or critical to the individual?

  • The complexity of the extraction: Will searching a specific legacy database require specialist third-party IT support?

  • The likelihood of success: Is there a genuine probability that the target system contains relevant personal data that hasn't already been surfaced elsewhere?

By maintaining a clear audit trail of these decisions, you protect your organisation in the event the data subject escalates a complaint to the ICO under the new internal complaints procedures mandated by the 2025 Act.

The Unresolved Challenge: Redacting the Data You Do Find

While the DUAA successfully limits the scope of where you must look, it does not alleviate the burden of processing the data you are legally required to disclose. A "reasonable and proportionate" search across just a few active Teams channels and email inboxes can still yield thousands of pages of unstructured data.

This is where the compliance bottleneck remains. Once the data is compiled, it must be meticulously reviewed to ensure third-party personally identifiable information (PII) is securely redacted. Relying on manual human review or basic PDF "black box" overlays is dangerously inefficient and frequently leads to "false redactions" that leak hidden metadata—a prime trigger for ICO fines.

To fully capitalise on the efficiencies introduced by the 2025 Act, organisations must pair their proportionate search strategies with automated redaction workflows. Purpose-built AI can instantly scan the relevant documents and videos your search yields, automatically scrubbing underlying code and irreversibly removing PII.

The law has finally provided the tools to limit the scope of DSARs; now, you must ensure your internal technology can handle the rest. See how AI can safeguard your compliance processes by taking a free trial of Acuity AutoRedact today.

Reasonable and proportionate search DSARData Use and Access Act 2025ICO DSAR guidance 2026stop the clock DSARlimit DSAR scopeUK GDPR complianceautomated redaction softwareprevent false redactions
Andrew Walls is the Founder and CEO of Acuity AI Education Ltd, the parent company of Acuity AutoRedact. He has over 10 years of digital leadership experience in schools.

Andrew Walls

Andrew Walls is the Founder and CEO of Acuity AI Education Ltd, the parent company of Acuity AutoRedact. He has over 10 years of digital leadership experience in schools.

LinkedIn logo icon
Back to Blog