How Much Does a Subject Access Request Cost? Understanding Your Legal Obligations Under UK GDPR

If you’ve ever received an email from a customer or employee asking for “all the personal data you hold on them,” you’re not alone. Subject Access Requests (SARs) are part and parcel of modern business under data protection laws. And one of the most common questions UK businesses have is: How much does a subject access request cost? Are you allowed to charge? If so, how much? Or are SARs always free? Knowing where you stand is vital for compliance - and for protecting your business against hefty ICO fines or reputational risks.

In this straightforward guide, we’ll walk you through when you can charge a fee for a SAR, how to calculate it, and the practical steps to ensure you stay on the right side of the UK GDPR. By the end, you’ll know what’s expected - and how to handle SARs efficiently, confidently, and lawfully.

What Is a Subject Access Request (SAR)?

Let’s start with the basics: A Subject Access Request is when an individual (such as a customer, employee, or service user) asks your business what personal information you hold about them. Under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018, anyone has the legal right to ask for:

• Confirmation that you’re processing their personal data
• Access to a copy of that data
• Other supplementary information (such as why you have it, who you share it with, how long you keep it, etc.)

These rules apply to any organisation that processes personal data - so that’s almost all UK businesses and charities. If you get a request, you can’t ignore it or put it off: you must respond within one calendar month.

If you’re new to data protection or unsure if your business is compliant, it’s worth reviewing our Essential Guide To Data Protection And Security Compliance Under UK GDPR for the full picture.

Are Subject Access Requests Free or Can You Charge?

The short answer? In most cases, subject access requests should be free of charge. This is spelled out in Article 12(5) of the UK GDPR.

But there are important exceptions. You can charge a “reasonable fee” if the request is:

• Manifestly unfounded or excessive - for instance, if someone keeps making repeat requests or is clearly trying to cause a nuisance
• Someone asks for additional copies of information they’ve already received

The key takeaway? Charging a fee for a legitimate, first-time request is not allowed. But if you’re dealing with repetitive, burdensome, or obviously abusive requests, you have the right to cover your costs.

How Much Does a Subject Access Request Cost? (UK Law)

Let’s get down to specifics. If you can charge for a subject access request due to it being excessive, unfounded, or a request for additional copies, you must keep the fee “reasonable”. But what does that actually mean?

• You can only charge to cover the administrative costs of handling the request
• This might include staff time, printing, postage, or electronic delivery costs (but not for profit)
• The ICO recommends that any charges are proportionate and justifiable

There’s no set amount, but typically, fees are:

• £10-£50 for complex requests (based on the time, effort, and materials involved)
• Lower if just covering the cost of posting, copying, or providing extra copies digitally

If you do charge, you need to:

• Explain why you believe the fee is justified (and be ready to justify this to the ICO)
• Let the person know before processing their request, so they can choose to continue or withdraw

For most SMEs, it’s rare to encounter requests you can actually charge for - but it does happen from time to time. If you’re unsure, check out the ICO’s detailed guide on GDPR essentials or speak to a data privacy lawyer for a specific scenario.

What Counts as “Excessive” or “Manifestly Unfounded”?

These terms might sound a little subjective but the ICO offers some practical pointers:

• Excessive: If the request repeats what has previously been dealt with, or requests an unreasonable volume of information, or is part of a pattern of harassment
• Manifestly unfounded: If it’s clear the person has no real intention of exercising their data rights but instead wants to disrupt your business, or is acting maliciously (for example, making unsubstantiated accusations or seeking to harass staff)

It’s important to recognise these types of requests, but also to approach them with care. Wrongly labelling a genuine request as “excessive” could lead to complaints or ICO action, so be cautious and document your reasoning. If you consistently receive similar requests (e.g., from dissatisfied ex-employees), consider tightening your staff’s SAR handling processes and reviewing your Privacy Policy for clarity.

How Should You Respond to a Subject Access Request?

If you receive a SAR, here’s what you should do:

1. Check the identity: Make sure you’re dealing with the actual data subject, not someone impersonating them.
2. Clarify the request (if needed): For complex or unclear SARs, ask the requester for more details. You can pause the one-month time limit until they reply with clarification.
3. Locate the data: Search all storage locations (paper, email, cloud, CRM systems, backups, etc.).
4. Check for exceptions: Some info may be exempt (for example, data that includes other people’s information). Always consider if redactions are needed.
5. Prepare your response: Usually this means providing the personal data, plus an explanation of your data processing (categories, recipients, source, retention period, etc.).
6. Issue the response within one month (unless you need more time, in which case you must tell the requester why and when they’ll receive the information).
7. If charging a fee: Notify the requester and don’t start processing until you’ve received payment.

For a detailed workflow and best practices, read our guide to responding to SARs.

Should You Ever Refuse a SAR - And What Are the Risks?

While you are obliged to meet most SARs, you do have the right to refuse them if they are truly “manifestly unfounded or excessive.” If this is the case:

• Inform the requester of your decision and why
• Let them know they can complain to the Information Commissioner’s Office (ICO) or seek a legal remedy

Don’t take this step lightly. Wrongly refusing a SAR can lead to investigations, fines of up to £17.5 million (or 4% of global turnover), and reputational damage. It’s best to get professional advice before refusing any request.

More info on refusals and exemptions is available in our SAR exemptions guide.

What Can You Charge for a Subject Access Request in Practice?

So, what does this mean for your business on a day-to-day basis? Here’s a summary:

• Most SARs must be processed without charge.
• You can charge a “reasonable fee” only if:
• The request is repetitive, excessive, or manifestly unfounded; or
• The requester asks for additional copies of their data
• The fee must be based on actual administrative costs (not profit or a “flat rate”).
• Examples of chargeable costs can include:
• Staff time spent retrieving/compiling data
• Photocopying or printing (if substantial)
• Postage (if mailing large files or data sets)
• USB sticks or hard drives (for large digital data sets)
• You must notify the requester upfront about any fee, wait for payment before doing further work, and never overcharge.

The upshot? If a customer or employee simply asks you for their personal information for the first time, you’ll almost certainly need to provide it free of charge. But if someone is targeting your business with repeat or unreasonable requests, you don’t have to carry the burden entirely on your own.

If you need more help, consider reviewing your data request procedures or using a template SAR response form to streamline your workflow.

Tips For Reducing the Burden (And Staying Compliant)

Handling SARs shouldn’t be a cause for panic. Set your business up for smooth compliance by:

• Having clear internal procedures or templates for responding to data requests (here’s how to create an effective SAR template).
• Making your privacy policy clear about how people can make SARs and what they’ll get in response.
• Regularly reviewing your GDPR compliance to spot potential issues before they lead to requests or complaints.
• Training staff in SAR handling - so requests are handled promptly, correctly, and consistently.
• Seeking legal advice early if you receive what looks like a complex, excessive, or potentially abusive request.

Remember, efficient compliance will not only keep you on the right side of the law - it also builds trust and credibility with staff, customers, and the wider public.

Key Takeaways: How Much Does a Subject Access Request Cost?

• Most subject access requests (SARs) must be completed free of charge under UK GDPR, unless they are excessive, abusive, or repeat requests for the same data.
• You can charge a “reasonable fee” if the request is manifestly unfounded or excessive, or for subsequent copies of previously provided data - but only to recover actual administrative costs.
• The “subject access request charge” must be proportionate and justifiable, covering staff time and expenses, not for profit.
• Notify the requester before charging, and don’t begin processing until the fee is paid if you decide to charge.
• Be cautious and document your reasoning if you refuse a SAR or charge a fee, as mistakes can lead to ICO complaints, fines, and reputational harm.
• Best practice is to make SAR processes efficient and transparent with clear policies, trained staff, and GDPR-compliant documentation.
• If in doubt, always seek legal guidance to ensure your business is protected and compliant.

Need Help With Subject Access Requests Or Data Protection?

If you’d like help managing SARs, reviewing your GDPR compliance, or drafting effective privacy and data request policies, our friendly legal team is here to support you.

You can reach us for a free, no-obligations chat at 08081347754 or team@sprintlaw.co.uk. We’ll help you stay compliant, handle tricky requests, and keep your business protected.