GDPR Subject Access Requests: UK Deadlines, Responses And Common Mistakes

If you run a small business, chances are you’ll deal with personal data every day - customer enquiries, employee records, marketing lists, CCTV, emails, support tickets, and more.

That also means you might receive a request from someone to access their personal data under the GDPR (often called a “subject access request” or “SAR”). When this happens, it’s easy to feel like you’re suddenly expected to become a data protection expert overnight.

Don’t stress. With a clear process, responding to a subject access request is manageable - and getting it right can reduce your legal risk, protect your reputation, and save your team a lot of time.

In this guide, we’ll walk you through what a SAR is, what triggers your duties, the UK deadlines, how to respond step-by-step, and the common mistakes we see businesses make.

What Is A GDPR Subject Access Request (SAR) And Why Does It Matter For Small Businesses?

A subject access request (SAR) is a request from an individual (the “data subject”) asking you to confirm whether you process their personal data, and if you do, to provide them with access to it.

In the UK, SAR rights come from the UK GDPR (as incorporated into UK law post-Brexit) and the Data Protection Act 2018.

From a small business perspective, SARs commonly come from:

• Employees (for example, in a dispute, grievance, or performance process)
• Former employees (especially around exit arrangements)
• Customers (for example, complaints about service, deliveries, or marketing)
• Members / subscribers (especially if you run an online platform)
• Job applicants (particularly after an unsuccessful recruitment process)

It matters because the consequences of mishandling a SAR can include:

• Complaints to the Information Commissioner’s Office (ICO)
• Time-consuming follow-up correspondence and internal disruption
• Regulatory enforcement (in serious cases)
• Damage to trust (especially if the requester is a customer base or team member)

Handled properly, a SAR response shows your business is organised, transparent, and taking compliance seriously.

When Do You Have To Treat A Message As A SAR?

One of the biggest practical issues for businesses is recognising a SAR early.

A request doesn’t need to:

• use the words “subject access request” or “SAR”
• mention “GDPR”
• be in a specific format
• go to a specific person or inbox

If someone asks for their personal data (or asks what information you hold about them), you should treat it as a potential SAR and triage it immediately.

Examples Of Requests That Are Often SARs

• “Can you send me everything you have on me?”
• “I want a copy of all emails about me.”
• “What data do you hold about my account and why?”
• “Please provide my HR file and any notes made about me.”

What If It’s A Verbal Request?

A SAR can be made verbally (for example, on the phone or in person). In practice, it’s usually best to:

• make a written record of the request (date/time/what was asked)
• confirm in writing what you understand the scope to be
• route it internally to whoever manages data protection tasks

If you want a simple process for capturing requests consistently, it can help to use an Access Request Form so you’re asking the same scoping questions every time.

Do You Need To Ask The Person To Fill In A Form?

You can offer a form to help the person clarify what they want, but you generally shouldn’t make completion of your form a strict condition if their request is already clear.

The key is: don’t delay. Your legal response clock will usually start when you receive the request - although if you reasonably ask for proof of identity (or clarification), the deadline can effectively pause while you’re waiting for that information.

GDPR Subject Access Request Deadlines (And When You Can Extend)

Timing is one of the biggest compliance pressure points with a subject access request.

In the UK, the standard time limit is:

• One month to respond, starting from the date you receive the request (or, if relevant, from when you receive any ID you reasonably requested)

“One month” usually means the same date in the next month (not “4 weeks”), so diarising correctly matters.

You can dive deeper into the response time rules and how to calculate them in SAR response timescales, but the key operational point is: treat day one as the day you receive it, and work backwards from the deadline.

Can You Extend The Deadline?

Yes - but only in specific circumstances. If the request is complex or you have received a number of requests from the same individual, you can extend the time to respond by up to two additional months (so up to three months total).

If you extend, you should:

• tell the person within the original one-month period
• explain why you need more time
• confirm the new deadline date

Can You Charge A Fee?

Usually, no. SARs are generally free to respond to.

You may be able to charge a “reasonable fee” (or refuse) if a request is manifestly unfounded or excessive - but this is an area where getting advice is sensible, because mishandling a refusal can create avoidable risk.

How To Respond To A GDPR SAR: A Practical Step-By-Step Process

The easiest way to keep SARs under control is to use a repeatable workflow your team can follow each time. Below is a practical approach that works well for small businesses.

1) Acknowledge The Request And Clarify The Scope

You don’t need to provide the data immediately, but you should acknowledge the request promptly and start managing expectations.

Where it’s unclear what the person wants, you can ask them to narrow it down. For example:

• the time period (e.g. “January–June 2025”)
• the categories of data (e.g. “support tickets”, “HR file”, “CCTV footage”)
• specific systems (e.g. “emails”, “CRM notes”, “call recordings”)

Be careful here: asking for clarification shouldn’t be used as a stalling tactic. If the request is already clear enough, you should proceed.

It can also help to standardise the questions you ask, and keep your process consistent, using SAR templates for acknowledgement and scoping.

2) Check Identity (But Only Where Necessary)

You’re allowed to verify identity if you have reasonable doubts about who is making the request.

For example, identity checks are more likely to be appropriate where:

• the person is emailing from an unknown address
• you don’t have an ongoing relationship with them
• you hold sensitive data and want to ensure it goes to the right person

However, if it’s obviously the right person (for example, a logged-in customer making a request through their account email), asking for unnecessary ID can create friction and may look like delay.

3) Put A “Hold” On Deletions And Routine Data Purges

Once a SAR is received, you should take reasonable steps to ensure relevant data isn’t deleted as part of normal housekeeping.

This is one reason having clear retention rules matters. If your team is unsure what should be kept and for how long, it’s worth reviewing your approach to data retention periods.

4) Identify Where The Personal Data Lives (Your “Data Map”)

SARs become painful when you have to hunt across 12 systems with no plan.

For small businesses, personal data often sits across:

• email (Microsoft 365 / Google Workspace)
• Slack / Teams messages
• HR systems and payroll
• CRMs and sales pipelines
• support platforms (chat logs and tickets)
• marketing platforms and mailing lists
• CCTV systems and access logs
• shared drives and folders
• personal devices (if staff use BYOD)

Assign an internal owner (or small working group) who can coordinate searches and document what was searched, when, and by whom.

5) Collect The Data, Then Review It Carefully Before Disclosure

Once you’ve gathered the information, the next step is review. This is where many businesses go wrong - either by disclosing too much (privacy breach risk) or disclosing too little (non-compliance risk).

You’ll often need to:

• remove third-party personal data (for example, other employees’ names, customer details, or private contact info)
• apply redactions where appropriate
• separate out information that isn’t actually the requester’s personal data

What Can You Withhold Or Redact?

You don’t necessarily have to provide everything in its raw form.

There are situations where you may be entitled (or required) to withhold certain information - for example, where disclosure would reveal another person’s personal data, or where legal privilege applies.

This area can get technical quickly, particularly in employment-related disputes. For a practical overview, see what you can withhold.

As a general rule: if you’re unsure whether something should be disclosed, it’s often worth getting advice before sending your final pack. A rushed disclosure can accidentally create a separate GDPR issue.

6) Prepare The Response Pack (Not Just A Data Dump)

A compliant SAR response usually includes:

• confirmation that you process their personal data
• a copy of the personal data (in a commonly used electronic format where relevant)
• supporting information required by UK GDPR (often called “supplementary information”), such as:
  • purposes of processing
  • categories of personal data
  • recipients (or categories of recipients)
  • retention periods (or how they’re decided)
  • rights to rectification/erasure/restriction/objection (where applicable)
  • right to complain to the ICO
  • where the data came from (if not collected directly from them)

This is one reason it’s helpful to have your privacy documents and internal compliance materials in shape. Many businesses use a GDPR Package as a starting point so policies, processes, and response templates aren’t being built from scratch under pressure.

7) Deliver The Response Securely

Finally, think about how you deliver the information. Email attachments might be fine in some cases, but you should consider the sensitivity of the content.

Good practice options can include:

• password-protected files (with the password shared separately)
• a secure portal for download
• encrypted transfer tools

Also keep an internal record of what you disclosed and when. If the person challenges your response later, being able to show an audit trail is extremely helpful.

Common SAR Mistakes That Trip Up UK Small Businesses

Most SAR problems aren’t caused by bad intentions - they happen because teams are busy, systems are messy, and people panic. Here are some of the most common issues we see.

1) Missing The Deadline Because No One “Owns” SARs

If a SAR arrives in a general inbox and gets forwarded around, it’s easy to lose days (or weeks). You’ll reduce risk by:

• assigning a specific person/team to manage SARs
• training customer-facing staff to recognise a SAR
• setting up an internal escalation process

2) Treating A SAR Like A Dispute (Instead Of A Compliance Process)

When a request comes from an unhappy customer or a former employee, it can feel personal.

But your SAR response should stay factual and process-driven. Avoid commentary, defensiveness, or arguments inside the SAR response pack. If there’s a commercial or employment dispute happening at the same time, deal with that separately.

3) Over-Disclosing And Accidentally Breaching Someone Else’s Privacy

One of the biggest risks is sending unredacted data that includes other people’s personal information (for example, internal emails mentioning other employees, customers, or suppliers).

If that happens, you may have created a personal data breach - and depending on the severity, you might need to consider your obligations around incident response. Having a plan such as a Data Breach Response Plan can take a lot of the chaos out of those moments.

4) Doing A “Keyword Search” Only (And Missing Other Systems)

Searching one inbox for the requester’s name isn’t enough if their personal data is also held in:

• HR records
• chat logs
• shared drives
• call recordings
• support platforms

Your approach should be reasonable and proportionate, but it should also be defensible. If the ICO asks how you searched, “we looked in one mailbox” usually won’t cut it.

5) Refusing The Request Too Quickly (Or For The Wrong Reason)

Sometimes businesses assume they can refuse a SAR because:

• the person has an ongoing complaint
• the request is inconvenient
• it will take time to compile

Those aren’t valid reasons on their own.

Refusals tend to be high-risk decisions. If you’re thinking about refusing (or charging a fee), it’s smart to get advice first so your reasoning and communications are aligned with UK GDPR.

6) Forgetting That SARs Often Intersect With Employment Processes

For small businesses, SARs often come up during:

• disciplinaries
• grievances
• performance management
• dismissal processes

This is where careful handling is crucial. You may be balancing employee rights, third-party privacy, and legally privileged advice - all while keeping an employment process moving fairly.

Even if your HR is outsourced, it’s worth ensuring the “who does what” is clearly agreed internally, and that you have policies and contracts that match how you operate.

Key Takeaways

• A subject access request (SAR) can be informal and doesn’t need special wording - train your team to spot them early.
• You usually have one month to respond, and extensions are only available in limited circumstances (and must be communicated in time).
• A strong SAR response process includes: acknowledging and scoping the request, checking identity where appropriate, mapping systems, collecting data, reviewing/redacting, and delivering securely.
• Be particularly careful not to disclose third-party personal data or legally privileged information - over-disclosure can create a separate GDPR breach risk.
• Common mistakes include missed deadlines, incomplete searches, rushed refusals, and treating SARs like a “fight” instead of a compliance workflow.
• Good GDPR foundations (policies, retention practices, and templates) make SAR responses faster, calmer, and more defensible.

If you’d like help putting a SAR process in place, reviewing a tricky request, or improving your GDPR compliance, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.