Contents
Picture this: you open your inbox one morning to find an email from a customer, employee, or even a former client with the subject line “Subject Access Request – all data about me.” If you’re scratching your head and wondering what to do next, you’re not alone. Handling subject access request emails about you (or your business) can feel daunting if you haven’t dealt with them before.
The good news? With a solid understanding of what’s required and a practical, step-by-step approach, you can respond confidently, stay compliant with UK data protection law, and avoid unnecessary stress – or penalties.
In this guide, we’ll break down exactly what a Subject Access Request (SAR) is, why it matters to your business, and walk you through the essential steps for handling SAR emails safely, efficiently, and in line with legal requirements. We’ll also provide examples, practical tips, and resources to help you stay protected from day one.
What Is a Subject Access Request (SAR), and Why Do They Matter?
First things first: let’s answer the question, “What’s a SAR?” Under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018, individuals (“data subjects”) have the legal right to ask any organisation for details of the personal data that organisation holds about them. When they do, it’s called a Subject Access Request (SAR).
- Personal data means any information that can identify an individual. This could be names, addresses, email exchanges, personnel records, or even notes from a customer service call.
- A SAR might come as a formal letter, or far more commonly, as an email – sometimes with the phrase “subject access request emails about me,” but often as a straightforward question like “What data do you hold about me?”
If you’re a business, including startups and SMEs, you have a legal duty to respond to SARs, usually within one month. Getting this wrong could land you in hot water, with outcomes ranging from complaints to the ICO (Information Commissioner’s Office), fines, or reputational damage.
If you’re still not clear on what’s required, don’t worry – we’ll break it all down. For more on your legal responsibilities as a business, see our guide on How To Comply With Business Regulations.
Who Can Make a SAR, and What Must You Provide?
Anyone whose personal data you hold – customers, staff, contractors, suppliers – can submit a SAR. And as the business, you need to comply, except in very limited situations (for example, where data involves legal privilege or impacts others’ rights).
- The request doesn’t have to say “subject access request” specifically. Any clear request for personal data counts.
- Requesters can ask for a broad range (“all data about me”) or something specific (“copies of my payslips from January 2022”).
Your obligations include:
- Confirming if you hold personal data on the individual
- Supplying copies of that data (unless exemptions apply)
- Explaining the types of data you hold, why you hold it, and who you’ve shared it with
- Providing the information in a “concise, transparent, intelligible and easily accessible form”
For some great background, check out our page on What You Need To Know About GDPR.
What Happens If You Ignore a SAR or Get It Wrong?
Failing to respond to a SAR, or responding incorrectly or too late, can have serious consequences. The ICO can uphold complaints, require corrective action, and even fine your business. Perhaps more importantly, mishandling personal data can damage trust with customers and teams alike.
For example, the ICO has powers under the Data Protection Act 2018 – including the ability to issue fines, enforcement notices and even ban businesses from data processing in serious cases. That’s why it’s crucial to have a proper plan in place for handling requests.
Ready to find out how to handle those emails like a pro? Let’s jump into the steps.
How Should You Respond To “Subject Access Request Emails About Me”? Step-By-Step Guide
Here’s a practical checklist to follow as soon as you spot a SAR in your inbox:
1. Acknowledge Receipt Promptly
- As soon as you receive a SAR (even if it’s just an email that says “please send me all data you hold about me”), respond to confirm you’ve got the request. This helps set expectations and shows you’re taking compliance seriously.
- Diarise your deadline for response: the law gives you one calendar month from receiving the request to provide the information. For example, a SAR received on 2 May must be actioned by 2 June – not just acknowledged but fully answered.
- If the request comes in over the weekend or public holiday, the clock still starts ticking right away. Delays in acknowledging could mean missing the window to supply everything required.
Tip: If the request is complex, you may be able to extend the deadline by a further two months, but let the requester know early and explain why.
2. Clarify the Request (When Needed)
- Many SARs are broad (“I want all information about me”), but you can (and should) clarify what the person actually wants. This helps avoid sending masses of irrelevant data.
- Ask specific questions: “Are you looking for a copy of every email exchange? Or are you interested in your employment records from last year?”
- This is particularly important for larger companies or those that process lots of data, where narrowing the scope can make the task more manageable and ensure the response is truly helpful to the individual.
- Example: Sarah emails requesting “all personal information about me.” You reply: “To help us locate what you need, could you let us know if you’re looking for records from a specific period, department, or communication channel?”
Be helpful, but remember: you can’t refuse the SAR simply because the request is broad. You still have to provide what you can find, within the time frame.
3. Verify the Identity of the Requester
- Before disclosing any personal data, ensure the request really is from the person in question. This is especially important if the request is by email and you’re not sure who the sender is.
- You can ask for reasonable additional information to confirm their identity (such as confirmation of a staff or customer number, a copy of ID, or calling them back on a number you have on record).
- Be proportionate – don’t make verification onerous, but do lock down security so you’re not revealing data to the wrong person.
4. Search, Collate and Review the Data
- Once you know what’s being requested, search all systems where you might hold the data. This could include emails, HR files, databases, shared drives, and even third-party cloud services.
- Work with colleagues in IT, HR, operations or other relevant teams to ensure nothing is missed. Be sure to check archived emails and backups, too.
- As you collate the data, make a list of:
- What types of data you hold and where
- Any recipients you’ve shared the personal data with
- How the data has been used
- Remember, you should only include the requester’s personal data, not information about other individuals unless they consent or it’s reasonable to do so (for example, where data about others is already public or uncontentious).
You may find our guide to Data Privacy Impact Assessments helpful for understanding your data landscape.
5. Check for Exemptions and Redact Where Necessary
- Some information can be withheld (redacted) from a SAR if a legal exemption applies. Common exemptions include:
- Personal data about another individual (unless they consent or it’s reasonable to disclose)
- Data protected by legal professional privilege
- Certain management planning or negotiations (for example, confidential business strategy)
- Always review your data for third-party information, commercially sensitive content, or other issues before sending it on. Redact or remove anything that you’re entitled to withhold, and note the reasons for doing so in your response.
- If you’re ever in doubt about exemptions or redactions, it’s best to seek advice from a privacy professional or lawyer.
For more on privacy fundamentals, see What Is a Privacy Policy?
6. Supply the Data Securely, with a Clear Explanation
- Provide the personal information in a secure, accessible format (commonly PDF files or copies of relevant emails/records). Avoid sending personal data through insecure channels unless the requester agrees.
- Include a cover letter or email explaining:
- What you’ve provided (list the types of data and sources)
- Any withheld information, and why (reference the relevant exemptions)
- How to contact you for further clarification or with concerns
- Information about the requester’s rights if they are dissatisfied (such as how to complain to the ICO)
- Keep a careful record of what you supplied and when, in case questions or complaints arise later.
7. Update Your Policies and Train Your Team
- Responding well to a SAR isn’t just about one-off compliance – it’s about embedding good privacy practices within your business.
- Ensure staff know how to spot a SAR, what to do when one lands in their inbox, and who is responsible for handling the process.
- Review and update your Privacy Policy, internal procedures and staff training regularly to keep them up to date with the latest laws and best practice.
- For online businesses or those dealing with lots of customer data, consider regular data mapping and privacy impact assessments.
If you don’t already have robust internal guidance, you may wish to explore our Data Protection Pack for policies and templates.
Common SAR Pitfalls (And How To Avoid Them)
Hundreds of UK businesses get tripped up every year by SARs, often for totally avoidable reasons. Here are some practical tips:
- Don’t ignore informal requests – if someone asks for their information, a SAR has likely been made even if they don’t use the words “subject access request”.
- Avoid unnecessary delays – even if clarifying the scope or identity, the one-month deadline still applies (excluding time waiting for ID only when necessary).
- Never supply more than you should – always check and redact data relating to other people or sensitive information.
- Document everything – keep a written record of how you handled the SAR, what you sent, and your justification for any withheld info.
- If you make a mistake, notify the requester promptly, and if it’s serious, consider whether you need to notify the ICO.
For help creating robust contracts and policies to stay compliant, you may find our page on Legal Documents For Business helpful.
FAQs on Subject Access Requests (SARs)
What If the Request Is Made By a Third Party?
Only disclose personal data to a third party (such as a parent, solicitor or consultant) if you have clear, documented authority from the individual – or a right to do so under law.
Can You Charge a Fee for a SAR?
SARs are usually free. You can only charge a reasonable fee if the request is “manifestly unfounded or excessive” (for example, repeated requests for the same information within a short time).
What Happens If You Miss the Deadline?
If you don’t respond in time, the individual can complain to the ICO, who may require you to comply, investigate your data practices, and potentially issue a fine or corrective action. Keep close track of all SAR deadlines!
Need a more detailed business startup checklist for compliance? See Business Startup Checklist.
What If Responding Would Reveal Trade Secrets?
You do not have to disclose information that would reveal genuine trade secrets, provided you can clearly demonstrate the risk and it’s reasonable to withhold some details. Always explain your reasoning to the requester and, where in doubt, seek legal advice.
Key Takeaways
- A Subject Access Request (SAR) is a formal, legal right by individuals to access personal data you hold about them, and you must respond within one calendar month in most cases.
- Acknowledge all SARs promptly, clarify scope where possible, and verify identity before releasing any information.
- Carefully search, collate, and review requested data, removing or redacting where necessary to protect third-party information and comply with relevant exemptions.
- Provide your response securely, with a clear list of what’s included, any withheld, and the reason why.
- Document each stage of the process and update your internal privacy policies and staff training to stay compliant for future requests.
- Ignoring or mishandling SARs can result in penalties from the ICO, as well as reputational damage for your business.
- For complex responses, or if you’re unsure about the law or exemptions, it’s always wise to seek expert legal advice.
Let Us Help You Navigate SARs and Data Privacy Duties
If you’ve received a subject access request email about you or your business and are worried about how to comply, or you just want to ensure your privacy practices are up-to-scratch, we’re here to help. Sprintlaw offers experienced legal support on all aspects of data protection, privacy law, and compliance for UK SMEs.
Reach out to us for a free, no-obligation chat on 08081347754 or email [email protected] today. We’ll help you stay protected from day one and handle those SARs with confidence.
Meet some of our Data & Privacy Lawyers
Get in touch now!
We'll get back to you within 1 business day.
Book in a free consultation with us to discuss your legal needs.