Computer Forensics Lab — e-discovery.uk
e‑discovery.uk
Computer Forensics Lab · eDiscovery
← Knowledge Centre

GDPR, DSAR and eDiscovery

How to balance disclosure obligations and data subject rights under GDPR when handling personal data in eDiscovery.

Ref · E-D · 2026 · §GDPRClass · ConfidentialJuris · England & WalesStatus · Active

Disclosure and GDPR can coexist

GDPR does not block litigation disclosure. It requires that personal data is handled lawfully, fairly and transparently. In litigation and investigations, disclosure obligations can provide a lawful basis for processing, but that does not remove the need to respect data protection principles.

The key is proportionality: collect and review only what is necessary for the matter, protect the data while it is in your control, and dispose of it securely when it is no longer needed.

Data minimisation in eDiscovery

Data minimisation means keeping the exercise focused on the issues in the case. Scoping custodians, date ranges and data sources tightly keeps the volume of personal data down and supports proportionality. It also makes the review more efficient.

Where personal data is collected, it should be protected by access controls, encryption and clear handling records. These measures are also good for defensibility, because they show that the data was treated seriously.

DSAR versus litigation disclosure

A data subject access request (DSAR) and litigation disclosure are different exercises. A DSAR is about the requester's own personal data, often with broad scope and tight deadlines. Disclosure is about relevant documents, often between the parties to litigation. The two can overlap, and responding to a DSAR during litigation requires care to avoid undermining the litigation position or disclosing privileged or third-party data.

Technical and organisational safeguards

Practical safeguards include role-based access, encryption in transit and at rest, pseudonymisation where possible, and clear retention and deletion policies. Having a documented processing record helps demonstrate compliance if the regulator or the other side asks questions.

Key takeaways

  • GDPR and disclosure obligations can coexist with proper planning.
  • Data minimisation and tight scoping protect both compliance and proportionality.
  • DSAR and litigation disclosure are different exercises with overlapping risks.
  • Access controls, encryption and retention records support defensibility and compliance.

Frequently asked questions

Can privileged material be disclosed in a DSAR response?

Privilege still applies, but it must be assessed carefully. DSAR responses may also need to redact third-party personal data.

Does GDPR stop data being transferred outside the UK?

International transfers are allowed if appropriate safeguards are in place, such as adequacy decisions or standard contractual clauses. This should be addressed early in cross-border matters.

How long should eDiscovery data be kept?

Only as long as necessary for the matter and any legal or regulatory retention requirement. A clear retention and deletion policy is essential.

Discuss your matter in confidence

Speak to an eDiscovery specialist about forensic collection, processing and review support for your case.

Request a Confidential Consultation
Instruct the practice

Bring us in early. Defensibility is built, not retrofitted.

Whether you are responding to a regulator, preparing for disclosure, or scoping an internal investigation — start the chain of custody with a short, confidential conversation.

Open a confidential matter+44 (0)20 7164 6971Direct lineinfo@e-discovery.ukEncrypted