Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- Feeling overwhelmed by a SAR?
- Fees
- Finding and supplying the data
- Third-party information and redaction
- Key exemptions - when you can withhold information
- Why SARs can be complex in practice
- Lawyer-led process - what “good” looks like
- If you are handling SARs in-house
- Common pitfalls to avoid
- Key takeaways
- Need help?
SARs can feel daunting. This guide explains what they are, the legal deadlines, when you can narrow scope or refuse, what to disclose, common traps, and how lawyer support keeps you compliant and calm.
Feeling overwhelmed by a SAR?
Whether you run a small business, lead HR, or handle data in a startup, Subject Access Requests can be time consuming - especially if you hold years of emails, chats and files. With UK GDPR and the Data Protection Act 2018, getting SARs right is not a box-tick - it is essential for compliance and trust.What is a Subject Access Request?
A Subject Access Request (SAR) is an individual’s right to access the personal data you hold about them. In UK law this sits under UK GDPR Article 15 and the Data Protection Act 2018. A SAR can be made verbally or in writing - including via social media - and does not need to say “subject access request”. A representative can also make it on someone’s behalf.What people can ask for
- A copy of their personal data
- Confirmation you process their data and key details about that processing - purposes, categories, recipients, retention, rights, source, any automated decision-making, and safeguards for international transfers.
Deadlines and extensions
You must respond without undue delay and within one month of receipt. You can extend by a further two months if the request is complex or you have received multiple requests from the same individual - but you must tell them within the first month and explain why. Weekend and bank holiday timing follows a calendar month rule, with the next working day if the due date lands on a non-working day.When you can “stop the clock”
- Identity verification - you can pause the time until you have sufficient ID.
- Clarifying scope - if you genuinely process a large amount of data about the individual and need scope clarified, you can pause the time while waiting for clarification. Use this only when necessary and proportionate.
Fees
Most SARs are free. You may charge a reasonable fee or refuse to act if a request is manifestly unfounded or excessive, but you must be able to justify that decision.Finding and supplying the data
Carry out a reasonable and proportionate search across relevant systems. Provide the data securely, in an accessible format. You usually supply copies, but you are not obliged to create new documents or transcripts that do not exist.Third-party information and redaction
Personal data about other people often appears alongside the requester’s data. You should try to obtain the third party’s consent before disclosure where appropriate, or assess whether disclosure without consent would be reasonable in the circumstances. If not appropriate to disclose, redact.Key exemptions - when you can withhold information
Not everything must be disclosed. The Data Protection Act 2018 contains exemptions - you should apply them carefully and record your reasoning. Common ones include:- Legal professional privilege - privileged communications are exempt.
- Confidential references given (for employment, education, training).
- Management information and negotiations where disclosure would prejudice business planning or negotiations with the individual.
- Crime and taxation, regulatory functions and other public interest exemptions in specific circumstances.
Why SARs can be complex in practice
- Volume - years of emails, chats and docs across cloud apps.
- Mixed content - third-party data and confidential business information alongside personal data. Careless disclosure risks data breaches and harm.
- Contentious contexts - SARs often arise during employment disputes or grievances - responses may later be scrutinised in tribunal or by the ICO.
Lawyer-led process - what “good” looks like
- Scope and strategy - confirm what is requested, deadlines, lawful basis to narrow scope, and possible exemptions.
- Comms - handle clarification, ID, and updates professionally and on time. Keep records.
- Search and collect - structured, proportionate searches across mailboxes, HR systems, cloud stores and chat tools.
- Review and redact - apply exemptions and third-party balancing tests, document decisions.
- Produce and deliver - provide data and Article 15 supplementary information securely, with a clear covering letter and audit trail.
If you are handling SARs in-house
- Train staff to recognise SARs in any channel and route them fast.
- Keep a SAR log and standard templates for acknowledgments, clarification, and responses.
- Build a redaction checklist for third-party data and common exemptions.
- Set reminders for calendar-month deadlines and document any extensions or pauses with reasons.
Common pitfalls to avoid
- Waiting for a “formal” SAR - informal or verbal requests still count.
- Searching everywhere except chat or collaboration tools.
- Over-redacting or under-redacting third-party data without a consent or reasonableness assessment.
- Missing Article 15 supplementary information in the response pack.
- Assuming “stop the clock” applies in all cases - it is limited and must be justified.
Key takeaways
- One month to respond, with a possible two-month extension for complex or multiple requests - tell the requester within the first month.
- You can pause time for ID checks and, in limited cases, for scope clarification where you process large volumes.
- Supply the data plus Article 15 details - purposes, categories, recipients, retention, rights, source, automated decision-making and relevant transfer safeguards.
- Use exemptions carefully - legal privilege, confidential references, negotiations and management information, crime and taxation, and regulatory functions, among others.
- Document everything - searches, redactions, exemptions and communications. This is your best defence if challenged.
