The Subject Access Request (SAR) is perhaps the most commonly exercised data protection right. Under Article 15 of UK GDPR, individuals have the right to obtain confirmation of whether you're processing their personal data and, if so, to access that data along with certain supplementary information. Handling SARs efficiently is both a legal requirement and an opportunity to build trust with the people whose data you hold.

Key Timeframes at a Glance

1
Calendar month to respond (standard)
+2
Additional months if complex (with notice)
0
Cost to the requester (usually free)

What is a Subject Access Request?

A Subject Access Request is a request from an individual (the "data subject") to access the personal data you hold about them. It's one of the fundamental rights under UK GDPR and exists to give people transparency and control over how their information is used.

When someone makes a valid SAR, they're entitled to:

  • Confirmation that you are processing their personal data
  • A copy of that personal data
  • Supplementary information (largely corresponding to what should be in your privacy notice)

No Magic Words Required

A SAR doesn't need to mention "subject access request", "GDPR", or "Article 15". Any clear request for personal data—verbal or written—can constitute a valid SAR. Train your staff to recognise requests that might be SARs, even if informally phrased.

Recognising a SAR

SARs can arrive through any channel and in any form. Examples include:

  • "Please send me all the information you hold about me"
  • "I'd like a copy of my personnel file"
  • "What data do you have on me?"
  • "Can I see my records?"
  • A formal letter citing Article 15 of GDPR

SARs can be made:

  • In writing (letter, email, web form)
  • Verbally (in person or by phone)
  • Via social media
  • Through a third party acting on behalf of the individual

Third-Party Requests

When someone makes a request on behalf of another person (e.g., a solicitor, family member, or employer), you must be satisfied they have authority to act. Request evidence of this authority, such as written authorisation from the data subject or a lasting power of attorney.

The SAR Response Process

Here's a step-by-step workflow for handling SARs effectively:

1 Log and Acknowledge

As soon as you receive a potential SAR:

  • Log the request with the date received—this starts your response clock
  • Assign a unique reference number
  • Acknowledge receipt promptly (though not legally required, it's good practice)
  • Identify the response deadline (one calendar month from receipt)

2 Verify Identity

Before disclosing personal data, you must be confident you're dealing with the right person. You can request information to confirm identity, but only what's necessary and proportionate.

Appropriate ID verification might include:

  • Checking the request came from a known email address on your system
  • Asking security questions based on information you hold
  • Requesting a copy of photo ID (only if genuinely necessary)

The clock pauses while you await ID verification, but resumes once you have reasonable information to confirm identity.

3 Clarify the Request (If Needed)

If a request is unclear or very broad, you can ask for clarification. For example, if someone asks for "everything you have on me" and you hold substantial data across multiple systems, you might ask them to specify what they're most interested in.

However, you cannot:

  • Require them to narrow down the request
  • Refuse to act without clarification
  • Use clarification requests to delay your response

The clock pauses while awaiting clarification.

4 Search for Personal Data

Conduct reasonable and proportionate searches across all systems where the individual's data might be held:

  • Databases and CRM systems
  • Email (including archives and deleted items if recoverable)
  • Shared drives and document management systems
  • Paper files
  • Backup systems (if reasonably accessible)
  • Third-party systems you control or have access to

Document your search methodology in case of later challenge.

5 Review and Redact

Before disclosure, review all located data to identify:

  • Third-party personal data: Information about other identifiable individuals that shouldn't be disclosed without consent or another valid reason
  • Confidential references: Employment or educational references given in confidence
  • Legal privilege: Information protected by legal professional privilege
  • Commercially sensitive information: Trade secrets or confidential business information (though this rarely applies)

Redact information that falls within an exemption, but disclose everything else. Don't use exemptions as an excuse to withhold embarrassing or inconvenient information.

6 Prepare the Response

Your response should include:

  • A copy of the personal data (in an accessible format)
  • The purposes of processing
  • Categories of personal data concerned
  • Recipients or categories of recipients
  • Retention periods or criteria for determining them
  • Information about their rights (rectification, erasure, restriction, objection)
  • The right to lodge a complaint with the ICO
  • Source of the data (if not collected from the individual)
  • Information about automated decision-making, including profiling

7 Deliver Securely

Send the response securely, appropriate to the sensitivity of the data:

  • Password-protected files with password sent separately
  • Secure file transfer or portal
  • Encrypted email
  • Recorded delivery for physical documents

If the request was made electronically, provide the information in a commonly used electronic format unless the individual requests otherwise.

Timeframes and Extensions

The Standard One-Month Deadline

You must respond to a SAR within one calendar month of receipt. "Calendar month" means:

  • Request received 15 January → respond by 15 February
  • Request received 31 January → respond by 28/29 February (last day of month)
  • Request received 30 March → respond by 30 April

When You Can Extend

You can extend the deadline by up to two additional months if the request is complex or you've received numerous requests from the same individual. However:

  • You must inform the individual within one month of receiving the request
  • You must explain why the extension is necessary
  • The extension should be genuinely justified, not routine

What Makes a Request "Complex"?

Complexity might arise from: large volumes of data across multiple systems, need for extensive redaction of third-party information, data held in difficult-to-access formats, or requirement to consult other parties. Being busy is not a valid reason to extend.

Exemptions: When You Can Withhold Information

UK GDPR and the Data Protection Act 2018 provide several exemptions that may allow you to withhold some information. The main ones are:

Third-Party Data

You're not obliged to disclose information that would identify another individual, unless:

  • That person has consented to disclosure
  • It's reasonable to disclose without consent (consider the type of information, duty of confidentiality owed, and any steps taken to seek consent)

However, you should still disclose information about the requester even if it mentions third parties, unless doing so would reveal information that the third party would have a reasonable expectation of being kept private.

Legal Privilege

Information subject to legal professional privilege is exempt. This covers communications between lawyers and clients for the purpose of obtaining or giving legal advice, and documents created for litigation.

Confidential References

References given (or received) in confidence for employment, education, or training purposes are exempt—but only references you've given, not references you've received about the requester from third parties.

Crime and Taxation

Information can be withheld if disclosure would prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of tax.

Management Information

Information processed for management forecasting or planning can be exempt, but only to the extent that disclosure would prejudice the business.

Exemptions Are Narrow

Exemptions should be applied narrowly and only where genuinely applicable. You cannot use exemptions to avoid disclosing information that's merely embarrassing, inconvenient, or reflects poorly on your organisation. The ICO takes a dim view of over-claiming exemptions.

Fees and Refusing Requests

Charging a Fee

SARs are generally free. However, you can charge a "reasonable fee" in two circumstances:

  1. Manifestly unfounded or excessive requests: Where a request is clearly unreasonable, repetitive, or intended to cause disruption
  2. Additional copies: If the individual requests further copies of the same data, you can charge a reasonable fee based on administrative costs

Refusing a Request

You can refuse to act on a request if it's manifestly unfounded or excessive. Signs of this include:

  • The individual has explicitly stated they're making the request to cause disruption
  • The request is part of a targeted campaign against your organisation
  • Repeated requests for the same data with no reasonable interval
  • Requests that are clearly frivolous or vexatious

The bar for refusal is high. You must be able to demonstrate why the request is manifestly unfounded or excessive, and you must inform the individual of your refusal, your reasons, and their right to complain to the ICO.

Practical Tips for Efficient SAR Handling

SAR Best Practices

  • Maintain a SAR log with deadlines and progress tracking
  • Create template acknowledgement and response letters
  • Document your search methodology for each request
  • Train staff to recognise and escalate potential SARs
  • Know where personal data is held across your organisation
  • Have a clear redaction policy and process
  • Use consistent, secure delivery methods
  • Keep records of responses for accountability
  • Review patterns in SARs to improve data governance
  • Consider using SAR management software for high volumes

Common Pitfalls to Avoid

  • Missing the deadline: Calendar month means calendar month—not 30 days. Track deadlines carefully.
  • Over-redacting: Only redact what genuinely falls within an exemption. When in doubt, lean towards disclosure.
  • Ignoring verbal requests: A request doesn't need to be in writing to be valid.
  • Demanding excessive ID: Only request what's proportionate. Don't use ID verification to delay or deter requesters.
  • Forgetting supplementary information: A SAR response isn't just about data—include the required context about processing.
  • Insecure delivery: Sending personal data insecurely could itself cause a data breach.
  • Failing to search thoroughly: "We couldn't find anything" is rarely a satisfactory response if data clearly exists.

Special Considerations: Employee SARs

Employee SARs can be particularly challenging due to the volume of data typically held. Key considerations:

What to Include

  • HR records and personnel files
  • Emails to, from, and about the employee
  • Performance reviews and appraisals
  • Disciplinary and grievance records
  • Training records
  • Payroll information
  • CCTV footage featuring them
  • Access logs and system records
  • Notes from meetings (formal and informal)

Common Challenges

  • Volume of emails: Use search tools effectively but document your methodology
  • Ongoing disputes: SARs often arise during grievances or disputes—handle professionally regardless
  • Manager's notes: Personal notes about employees may still be "personal data" subject to disclosure
  • Third-party information: Colleagues mentioned in documents—consider carefully what to redact

Ex-Employees Have Rights Too

Former employees can make SARs about data you still hold. Ensure your retention policies are clear and that you can locate ex-employee data. Their rights don't expire when employment ends.

When Things Go Wrong

If you fail to respond properly to a SAR, the individual can:

  • Complain to the ICO
  • Bring court proceedings for an order to comply
  • Claim compensation for distress or damage caused

The ICO can investigate complaints and has powers to issue enforcement notices and fines. Poor SAR handling is a common source of complaints to the ICO.

If You've Missed a Deadline

  1. Act immediately to complete the response
  2. Apologise to the requester and explain what happened
  3. Document the reasons for the delay
  4. Review your processes to prevent recurrence
  5. If a complaint is made, cooperate fully with the ICO

Conclusion

Subject Access Requests are a fundamental right, and handling them well demonstrates your organisation's commitment to transparency and data protection. Key takeaways:

  • Recognise SARs in all their forms—no magic words required
  • Act promptly—the one-month clock starts immediately
  • Search thoroughly and document your methodology
  • Apply exemptions narrowly and only where justified
  • Provide the required supplementary information, not just data
  • Deliver securely and in an accessible format
  • Learn from each SAR to improve your data governance

Well-handled SARs build trust. Poorly handled ones generate complaints, regulatory scrutiny, and reputational damage. Invest in getting your SAR process right.

"The right of access is one of the most important rights under data protection law. It allows people to understand how and why you are using their data, and check you are doing it lawfully."

— Information Commissioner's Office