Contents
If you’re running a business in the UK, there’s a good chance you’ll encounter a Subject Access Request (SAR) at some point – especially if you’re collecting or processing personal data from customers, clients, or employees.
Receiving a SAR (sometimes referred to as a “SAR request” or “DSAR request”) can feel overwhelming, particularly if you’re not familiar with the legal process or documentation involved. But don’t worry – with some clear guidance, you’ll know exactly what to expect and how to respond in a way that keeps your business compliant and protected.
Getting SARs right isn’t just about ticking boxes. It’s about building trust with the people whose data you hold – and protecting your business from potential complaints or fines. In this guide, we’ll walk you through what a SAR is, your legal obligations, the step-by-step process for handling SARs, and practical tips to streamline your response. Keep reading to make sure you’re confident (and compliant) with every SAR request that comes your way.
What Is a Subject Access Request (SAR) in the UK?
A Subject Access Request (often called a SAR, or a subject information request) is a formal request from an individual for access to the personal data you hold about them. Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, individuals (data subjects) have the legal right to find out whether their data is being used, what data is held, and to receive copies of that information.
A SAR can be made by anyone whose data you process – this includes employees, customers, website users, job applicants, suppliers, and more. The request can be broad (“I want a copy of all personal data you hold about me”) or very specific (“Please send me my most recent payslips and records of absence for pension purposes”).
Some people refer to these as “DSAR requests” (Data Subject Access Requests) – both terms mean the same thing.
Who Needs To Respond To SARs?
Any organisation that processes personal data – whether as a business, charity, public body, or sole trader – has a duty to deal with SARs. If you’re unsure, ask yourself: does your organisation store or process any information that could identify a living individual? If so, you fall under UK data protection law and must be ready to handle subject to access requests.
This includes information collected via online forms, email, paper files, staff records, customer accounts, and more. Even if you’re a small business or startup, you’re not exempt – complying with SAR rules is essential for building a trustworthy business.
What Should Be Included In a Subject Access Request Response?
Your response to a SAR should provide individuals with:
- A copy of the personal data you hold about them (in digital or paper form, as appropriate).
- Details of the purposes for which you use their data.
- The categories of personal data you process (e.g. name, address, purchase history).
- Who you share their data with (including any third parties).
- How long you’ll keep their data for (or the criteria used to decide this).
- Information about their rights under the GDPR (such as the right to rectification, erasure, restriction and objection).
- Details of any sources where you obtained personal data, if not directly from the individual.
- Information about any automated decision-making or profiling, if applicable.
In practice, this means gathering all documents, emails, or records containing the individual’s data, and providing them in a concise, accessible format. You must not just “describe” the data over the phone – you need to supply actual copies.
Unsure what qualifies as “personal data”? It’s any information that can identify a living person, either on its own or combined with other data.
To learn more about what data counts, check out our guide to customer data protection.
How Quickly Do I Need To Respond To a SAR?
Under UK data protection law, you must respond to a SAR “without undue delay and in any event within one month of receipt.” This one-month timeframe starts as soon as you receive the request (whether by email, post, or verbally).
In limited circumstances – where a request is especially complex or involves large volumes of data – you may extend the deadline by up to two further months. If you do extend, you must notify the requester within the first month and explain why the extra time is needed.
Missing the deadline (even by a day) could land your business in hot water with the ICO (Information Commissioner’s Office), so make sure you’re tracking SAR timelines carefully.
Step-By-Step Guide: How To Respond To a SAR Request in the UK
Let’s break down the process into practical steps so you can stay on top of every SAR – even if it’s your first time handling one.
1. Confirm Receipt and Log the Request
- Always acknowledge the SAR promptly and in writing (email is fine).
- Record the date received, details of the requester, key deadlines, and who is handling the response.
- If you need identification from the requester, ask for it straight away. (You’re allowed to confirm their identity before sharing personal data.)
Pro tip: Having a clear, documented process for handling SARs is good practice – it helps prove compliance if the ICO ever investigates.
2. Clarify the Scope If Needed
- Don’t guess if the request is vague. If you’re not sure what data the person wants, get in touch and ask for clarification.
- This helps avoid under- or over-sharing, and focuses your response on what really matters to the individual.
- For example: “We understand you would like access to your employment records. Could you please specify if you’re particularly interested in records relating to your pension, absence, or performance reviews?”
Clarifying saves time later – and makes it less likely you’ll accidentally share irrelevant or sensitive information.
If you want a detailed overview on this point, see our guide to document disclosure best practices.
3. Gather and Review the Relevant Documents
- Identify all places where you store the person’s data – email, databases, files, cloud storage, physical files, etc.
- Focus only on the personal data the individual has requested (don’t include their full HR file unless they’ve asked for it).
- Search terms can be useful for digital records; for paper files, check all relevant folders relating to the individual.
- Be thorough – missing records can result in complaints or enforcement action.
Not sure what information is in scope? Data might include emails mentioning the person, CCTV images if they’re identifiable, notes on meetings, or records on apps. But exclude data that isn’t about them, or which identifies other people unless you have consent or another lawful reason to share it.
If in doubt, or if third-party data is involved, check out our guidance on privacy policies and third-party disclosures.
4. Consider Third-Party Data and Redactions
- If documents include details about someone else, you generally need to redact (black out) that person’s data before sharing.
- You may disclose third-party data only with their consent or if it is reasonable in the circumstances (e.g. the requester already knows the information).
- Let the requester know if any documents have been redacted, and explain the reasons if appropriate.
For example, if you’re sharing meeting notes that mention multiple employees, redact the names/details of everyone except the requester, unless it’s reasonable to provide the full context.
5. Make the Disclosure and Provide Additional Information
- Send the personal data in a secure, accessible format – often as a PDF or physical copy, depending on the circumstances.
- Include all required GDPR information (purposes, recipients, retention, rights, etc. as listed above).
- Advise if any third parties have received their data, such as occupational health services or external payroll providers.
- Clearly explain how your business is using the person’s data.
- If you’re unable to supply some data (due to exemptions or redactions), outline the reasons why.
You cannot charge a fee for responding to a SAR unless the request is manifestly unfounded or excessive. The vast majority of requests must be supplied free of charge.
6. Keep Records of the Request and Response
- Document every SAR request, any communications, the data supplied, and any decisions made about exclusions or redactions.
- This record may be crucial if the requester raises a complaint or the ICO investigates.
Having a solid record-keeping process ties in with wider GDPR compliance obligations – it’s worth reviewing your procedures. For tips, read our guide to data privacy consent forms.
Common Questions When Handling SAR Requests
Can You Refuse a SAR?
In very limited circumstances, you can refuse to comply with a subject access request – usually if the request is “manifestly unfounded or excessive”, or if exemptions under the Data Protection Act 2018 apply (such as legal professional privilege).
If you intend to refuse all or part of a request, you must:
- Clearly explain the reasons for refusal
- Inform the individual about their right to complain to the ICO or seek a judicial remedy
Check guidance on when and how exemptions may apply in our detailed GDPR resource.
What If The Individual Asks For “All Data”?
If you receive a very broad subject access request (“please send me all the data you hold about me”), you’re obliged to make a reasonable search across all your records. However, you should proactively clarify if possible, as this helps you and the requester focus on what matters most.
Respond to the individual, highlight the scale of work involved, and invite them to specify what aspects they’re most concerned about. This isn’t about limiting their rights, but helping them (and you) get the most relevant data in the most efficient way.
What About Third-Party Data?
You must protect everyone’s privacy, not just that of the requester. If files or emails contain information about other people, you’ll need to consider your obligations to safeguard sensitive information and seek consent or redact data as appropriate.
Best Practices for Managing SARs Effectively
It can feel daunting to begin with, but following best practices will set your business up for SAR success:
- Establish a written SAR policy and clear process for your team to follow (this is especially important for businesses handling a high volume of data).
- Train staff on recognising and forwarding SARs immediately to the designated person or team.
- Use a checklist to guide each stage of your SAR process-from confirmation through to disclosure and record-keeping.
- Have an updated Privacy Policy that explains individuals’ rights and your SAR procedure, so you can refer requesters to it when needed.
- Seek legal advice if a request is complicated, involves sensitive data, or if you’re not sure about the lawful basis for disclosure.
Remember, a well-handled subject access request can increase trust with customers, staff, and regulators. It also means you’re less likely to face complaints or legal action in future.
Practical Examples: Responding to Common SAR Scenarios
- Employee requests only sickness absence records: Supply just the relevant records – not their whole HR file or unrelated emails.
- Customer requests details of their purchase history: Provide transaction records, related correspondence and any internal notes about their account (redacting third-party data where needed).
- Individual asks for “all emails mentioning my name”: Use electronic search tools, provide results where reasonable, but consider redaction if emails identify or include content about others.
- SAR involves third-party sharing (e.g. sent to a pension provider): Clearly inform the requester which third party received their data and why.
In every situation, open communication and clarification with the requester can make the process much smoother and help avoid accidental over- or under-disclosure.
Need more insights on these issues? Our guide to customer data rights and in-depth overview of GDPR requirements are packed with useful examples and further reading.
What Happens If I Get It Wrong?
If you fail to respond to a SAR in full, or you don’t meet the one-month deadline, the individual can complain to the ICO – and the ICO may investigate, order you to comply, or even issue a fine. It’s not just about penalties: a careless SAR response can risk your business’s reputation and undermine customer trust.
On the flip side, managing SARs efficiently helps your business stay trusted and compliant – and demonstrates you take privacy and transparency seriously.
Key Takeaways
- Any UK business or organisation handling personal data must be ready to respond to subject access requests (SARs).
- Respond to SARs within one month – and keep a written record of every request and your response.
- Only disclose the targeted personal data the individual has requested (not their entire record, unless asked).
- Seek clarification if you’re unsure what the requester wants – this protects both you and them.
- Redact or carefully handle any third-party data, and tell the requester if any third parties received their information.
- Establish clear policies and train staff so everyone recognises and responds to SARs correctly from day one.
- If a request is complex or sensitive, seek specialist legal advice to stay compliant and avoid costly mistakes.
Need Expert Help With SARs or GDPR Compliance?
Handling SARs doesn’t have to be daunting – and getting the legal foundations right can save your business headaches (and fines) down the track.
If you’d like support with SARs, data protection documentation, or any other aspect of GDPR compliance, our friendly team at Sprintlaw UK is ready to help. Reach out today on 08081347754 or email [email protected] for a free, no-obligations chat about protecting your business and your customers’ data.
Meet some of our Data & Privacy Lawyers
Get in touch now!
We'll get back to you within 1 business day.
Book in a free consultation with us to discuss your legal needs.