GDPR SARs: Handling Data Subject Access Requests in the UK

If you collect or use personal data in your business, you’ll eventually receive a Subject Access Request (SAR). That’s normal - and manageable.

Under the UK GDPR and Data Protection Act 2018, you’re required to respond correctly and on time. The good news is that with the right process, templates and training, SARs don’t need to derail your day-to-day operations.

In this guide, we’ll explain exactly what a SAR is, your legal obligations, the timeline you must meet, when you can refuse or limit a request, and how to build a practical, business-friendly SAR process that keeps you compliant and in control.

What Is A SAR Under UK GDPR?

A Subject Access Request (often shortened to “SAR”) is when an individual asks you for a copy of their personal data and certain supporting information about how you process it. Any individual can make a SAR - customers, employees, candidates, contractors and sometimes even suppliers’ staff.

Personal data is any information that relates to an identifiable person. That includes obvious items (names, emails, addresses, order histories), but also less obvious data like device IDs, call recordings, HR notes, CCTV footage, location data, IP addresses and in some cases opinions or assessments about a person.

Under the UK GDPR and the Data Protection Act 2018, when you receive a valid SAR you must provide:

• A copy of the personal data you hold about the requester.
• Key transparency information, including your purposes for processing, categories of personal data, recipients, retention periods, data source (if not obtained from the individual), transfers outside the UK and safeguards, and information about automated decision-making if relevant.

There’s no set format for a SAR. It can arrive by email, social media, web chat, post, or even verbally. Treat any message that says “please provide my data” (or similar) as a potential SAR. To reduce confusion, it helps to offer a clear route for requests - for example, a dedicated email and an online Access Request Form.

When Do You Need To Respond To A SAR?

The default response time is one month from the date you receive the request. In limited cases, you can extend by up to two further months if the request is complex or you’ve received multiple requests from the same person. You must tell the requester within the first month if you’re extending and explain why.

Before the time starts, you can ask for limited information to confirm identity if you have reasonable doubts about who’s asking. Don’t over-collect - only request what you need to be sure you’re disclosing to the right person.

Remember:

• Fees are generally not allowed. You can only charge a “reasonable fee” if a request is manifestly unfounded or excessive, or when the requester asks for additional copies.
• You should respond electronically where the request was made electronically, unless the individual asks otherwise.
• If a request is unclear, you can ask the requester to specify the information they want. The clock may pause while you wait for clarification, but don’t use this to delay unnecessarily.

Timeframes are one of the biggest pain points for SMEs. Having a clear process and tracking system goes a long way. If you’re unsure how to calculate time limits and extensions in tricky scenarios, it’s worth reviewing guidance on SAR deadlines.

How To Handle A SAR Step By Step

Setting up a consistent, repeatable playbook means your team can respond quickly without reinventing the wheel each time. Here’s a practical workflow you can adapt to your business.

1) Verify, Log And Acknowledge

• Confirm the requester’s identity if needed. Keep it proportionate.
• Log the SAR in your register with dates, contact details, summary of scope, and assigned owner.
• Send an acknowledgement within a few days. If you need clarification to narrow the scope, ask early.

2) Scope The Search

Identify which systems and teams may hold the person’s data. Common locations include:

• Email accounts (including shared inboxes and archived mailboxes).
• CRM, ticketing and helpdesk tools.
• HR systems, payroll, recruitment platforms and shared HR folders.
• Messaging and collaboration tools (Slack, Teams, WhatsApp used for work).
• Order, billing and accounting software.
• Marketing platforms, analytics, ad tools and web forms.
• CCTV and access control systems; call centre platforms and call recordings.

If your team communicates regularly by phone, factor in any recordings and notes, and make sure your processes are aligned with GDPR and business calls.

3) Collect And Review

• Gather all potentially relevant data. Be thorough but avoid collecting data that obviously isn’t about the requester.
• Review for third-party information and confidential content. You may need to redact information relating to other identifiable individuals unless you have consent or it’s reasonable to disclose without it.
• Check for privileged or exempt material (see “Exemptions” below).

4) Apply Redactions And Exemptions

Redact third-party personal data where required, and apply exemptions where they genuinely apply. Keep a clear record of what you withheld and why - you may need to justify decisions to the requester or the ICO.

5) Prepare The Response Pack

• Provide a copy of the personal data in a commonly used electronic format (unless the requester asks otherwise).
• Include your transparency information: purposes, categories, recipients, retention, source, transfers and safeguards, and details of any automated decision-making.
• Explain any redactions or exemptions in plain English.
• Offer contact details for follow-up and information on the right to complain to the ICO.

6) Send Securely And Close The Loop

• Send via a secure method (e.g. encrypted email, secure file share).
• Update your SAR register and retain a record of your search, decisions, redactions and response.

Templates save time and help ensure consistency. Many SMEs use a Subject Access Request template for acknowledgements, clarifications and final responses, and adopt a standard redaction protocol for documents and screenshots. If SARs create inbox chaos, set up a dedicated process for responding to SAR emails so you never miss a deadline.

When Can You Refuse Or Limit A SAR? (Key Exemptions)

Most SARs must be fulfilled. However, the law recognises that there are legitimate limits. You can refuse to comply (or comply in part) where a specific exemption applies, or if the request is manifestly unfounded or excessive.

Manifestly Unfounded Or Excessive

Examples include requests made with an intention to cause disruption without a legitimate purpose, or where the request clearly goes beyond what is reasonable (e.g. repeated requests for the same information in a short period). Even then, consider narrowing the scope first. If you still conclude it’s unfounded or excessive, you can refuse or charge a reasonable fee - but document your reasoning carefully.

Common Exemptions SMEs Encounter

• Legal privilege - communications with your lawyers for the purpose of legal advice or litigation.
• Confidential references - references you’ve given about an individual for employment or services.
• Management forecasting/negotiations - where disclosure would prejudice business negotiations or plans relating to the individual.
• Crime and taxation - where disclosure would be likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders.
• Third-party data - where you can’t disclose another person’s data without their consent and it’s not reasonable to do so.

These exemptions are nuanced and fact-specific. If you’re relying on one, explain it to the requester and keep a clear audit trail. For more detail on when these carve-outs apply, it’s worth reviewing common SAR exemptions.

Practical Ways To Make SARs Easier For Your Business

SARs can feel daunting, especially the first few. A little preparation goes a long way toward faster, smoother responses and fewer operational headaches.

1) Map Your Data And Consolidate Systems

Know where personal data lives across your tech stack. Maintain an up-to-date data map covering your CRM, billing, marketing, HR, collaboration tools, cloud storage and any local devices. Where possible, reduce duplicate stores and align retention periods so you’re not searching legacy systems unnecessarily.

2) Standardise Your Records

Adopt consistent folder structures and naming conventions for HR, customer support and operations. Train staff to avoid personal opinions in emails and chats unless necessary, and to keep discussions focused and factual - remember, internal notes can be captured by a SAR.

3) Use Templates And Checklists

Create a SAR playbook: acknowledgement, ID verification, clarification, search checklist, redaction guidance and final response. A structured approach and a ready-to-use Subject Access Request template will cut your response time significantly.

4) Tighten Your Privacy Framework

Strong privacy hygiene reduces SAR risk and effort. At a minimum, make sure you have:

• A clear, accurate Privacy Policy that sets expectations on data collection, use and rights.
• A robust Data Processing Agreement with any processor handling data for you (e.g. CRM, payroll, marketing tools).
• A Data Sharing Agreement where you share personal data with another controller.
• Consent and preference tools, including compliant cookie banners if you operate a website or app.

These documents and controls won’t just help with SAR compliance - they reduce disputes and build customer trust.

5) Train Your Team

Frontline staff often spot SARs first. Provide quick-reference guides and escalation paths so requests are recognised and routed promptly. Include SARs in your onboarding and refresher training, alongside security awareness and incident response.

6) Keep A SAR Register And Track Time

Log every request, key dates and decisions. Use a simple tracker to monitor the one-month deadline, any extensions, and when you sent your response. This is invaluable if the ICO ever asks questions.

SARs In Common SME Scenarios

Not all SARs look the same. Here are situations where SMEs often need a more tailored approach.

Employee And HR Files

Employees and ex-employees are frequent requesters. Expect requests covering emails, performance notes, absence records and grievances. Be ready to search manager mailboxes and chats, apply third-party redactions carefully, and consider whether any management forecasting or legal privilege applies.

Customer Support And Complaints

Support inboxes and ticketing tools are common data sources. Keep case notes factual and centralised. If a customer makes a SAR within a live complaint, coordinate your responses - you still need to meet the SAR deadline even if the complaint is ongoing.

Call Recordings

If you record calls, you’ll likely need to locate and extract the requester’s calls. Ensure your staff can search by number, account ID or timestamp. Also check your scripts and notices to make sure callers are informed about recordings, in line with GDPR and business calls.

CCTV And Access Control

Where you hold CCTV, a SAR may require you to extract footage of the requester. Redaction of other individuals is often necessary. Keep retention periods short and have a practical process for exporting and blurring faces when required.

Messaging Apps And BYOD

Work-related chats in platforms like Slack, Teams or WhatsApp (including on personal devices used for work) can be in scope. Set clear policies on acceptable use and retention. Avoid using personal accounts for customer or HR matters wherever possible to minimise SAR complexity.

Frequently Asked SAR Questions

Can We Ask Someone Why They Want Their Data?

You can ask a requester to clarify what they want (especially if the request is broad), but you can’t require them to justify their reasons as a condition for responding.

Do We Have To Search Backups?

If backups are not accessible as part of your normal business processes and you would need disproportionate effort to restore them, you generally don’t need to search backups - but you should search any live systems and archives you can reasonably access.

What If The Request Mentions Specific Terms Like “All Emails About Me”?

Discuss scope early. Offer date ranges, specific mailboxes, or subjects to narrow searches. Include this discussion in your acknowledgement so the timeline remains clear.

Do We Have To Provide Screenshots?

You must provide the personal data. That can be screenshots, exports or PDFs - whatever is practical and clear. Focus on accuracy and completeness, not a particular format.

What If We Miss The Deadline?

Act quickly: send the response as soon as possible, explain the reason for the delay, and review your process to prevent recurrence. Repeated or serious failures can lead to ICO intervention, so prioritise building a reliable workflow from the start.

Key Takeaways

• A SAR is any request from an individual for their personal data and related information - treat informal messages as valid requests.
• You usually have one month to respond, with a possible two-month extension for complex requests. Track your timeline and manage scope early, and lean on established SAR deadlines rules.
• Follow a clear process: verify, log, scope searches, review and redact, apply exemptions carefully, and send a complete response securely.
• You can refuse or limit a SAR if it’s manifestly unfounded or excessive, or where a specific exemption applies - but document your reasoning and communicate clearly. For common carve-outs, review typical SAR exemptions.
• Make life easier by preparing templates, training staff, and strengthening your privacy framework - including a current Privacy Policy, a solid Data Processing Agreement with processors, and a Data Sharing Agreement where appropriate.
• Offer a clear route for requests, like an online Access Request Form, and align your website consent tools with compliant cookie banners.
• If your team handles calls or recordings, ensure your search process and notices align with GDPR and business calls requirements.

If you’d like tailored help setting up a practical SAR process, drafting response templates, or tightening your privacy documentation, we’re here to help. You can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.