Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you handle any personal data about customers, staff, suppliers or website users, a Subject Access Request (SAR) will land on your desk sooner or later.
Don’t stress - with a clear process, you can respond lawfully and on time without derailing your day-to-day operations.
In this guide, we’ll walk through exactly what you must do when you receive a SAR under the UK GDPR and the Data Protection Act 2018, common pitfalls to avoid, and how to build a simple, repeatable process that keeps you compliant from day one.
What Is A Subject Access Request (SAR) Under UK GDPR?
A Subject Access Request is a request from an individual to access their personal data that your business holds. Under the UK GDPR and the Data Protection Act 2018, people have the right to:
- Confirm whether you’re processing their personal data
- Access that personal data (usually as a copy)
- Receive other information about how you process it (e.g. purposes, categories, recipients, retention, and their rights)
A SAR can be made through any channel - email, contact form, social media DM, or even verbally. There’s no special wording required. If someone says “please send me the data you hold about me” or “I want all data about me,” treat it as a SAR.
Important: You generally can’t charge a fee and you have one month to respond. You can extend by two further months if the request is complex, but you need to tell the requester within the first month and explain why.
When I Get A Subject Access Request (SAR), I Must Do These Things
When that “when I get a subject access request (SAR), I must…” thought kicks in, here’s the practical checklist to follow.
1) Diarise The Deadline
Start the one-month clock from the date you receive the request. If you need more time due to complexity, set a reminder to issue an extension notice within the first month explaining the reasons and the new timeline. For a deeper dive on timing rules (including pausing the clock while you verify identity), see our plain-English guide on SAR deadlines.
2) Verify Identity (If Needed)
If you doubt the identity of the requester, you’re entitled to ask for reasonable ID before you disclose anything. Be proportionate - don’t collect more ID than needed. Tell the requester that the deadline is paused until ID is provided.
3) Clarify Scope
Requests can be broad (“all data”). It’s lawful to ask the person to narrow the scope (dates, specific systems, keywords) to make the search more efficient - but remember, they don’t have to narrow it. The clock may pause while you await clarification if the request is genuinely unclear.
4) Search All Relevant Systems
Perform reasonable and proportionate searches across email, CRM, HR files, messaging platforms, shared drives, and SaaS tools where you process personal data. Don’t forget archived mailboxes, backups you can reasonably access, and data held by processors (e.g. payroll, marketing platforms) - which is why having a robust Data Processing Agreement with each supplier matters.
5) Collate And Review The Data
Pull together the personal data and review it carefully. The aim is to disclose the requester’s data while protecting the rights of others and respecting lawful exemptions.
6) Redact Third-Party Data
Where documents contain the personal data of other individuals, you’ll usually need to redact those third-party details unless you have consent or it’s reasonable to disclose. Be particularly cautious with staff emails, chat logs and complaints files.
7) Consider Exemptions
The law provides exemptions (for example, legal professional privilege, management forecasting, negotiations, references, crime and taxation). You should only rely on an exemption where it clearly applies, and document your reasoning. Our guide to SAR exemptions explains the common ones in plain English.
8) Prepare The Accompanying Information
It’s not just the data. You also need to provide the “privacy information” required by UK GDPR - things like why you process the data, categories, recipients, retention periods, lawful bases, and the requester’s rights. Much of this should mirror what you already set out in your Privacy Policy.
9) Deliver Securely, In A Common Format
Provide the data electronically where possible (unless they ask otherwise). Use a common, readable format and transfer it securely (e.g. a password-protected link). Keep an audit trail of what you sent and when.
10) Keep Clear Records
Maintain a SAR log with dates, steps taken, systems searched, reasons for redactions or exemptions, and copies of the correspondence. If the ICO investigates, this record will be invaluable.
Can I Refuse Or Narrow A SAR? (Exemptions, Fees And Repetitive Requests)
Most SARs must be fulfilled without charge. However, the UK GDPR gives you sensible guardrails.
Manifestly Unfounded Or Excessive
If the request is clearly made with malicious intent or is excessive (for example, repetitive with no new information), you can either refuse to comply or charge a reasonable fee for administrative costs. Be cautious here - you’ll need to justify your decision. A proportionate narrowing request often avoids this scenario.
Repeated Requests
If the same person asks for their data again, you aren’t obliged to provide another copy if nothing has changed. Consider whether anything has materially changed since the last response before deciding to refuse or charge a fee.
Partial Disclosure Using Exemptions
You can withhold specific information where a statutory exemption applies (e.g. legal privilege). You should still provide the remainder of the data. Where appropriate, explain that certain information has been withheld and the reason (without revealing the withheld details).
What If The Deadline Is Impossible?
If you genuinely need more time due to complexity or volume, you can extend by up to two further months - but you must notify the requester within the first month with reasons. Again, see SAR deadlines for how this works in practice.
Handling Tricky SARs: Employees, CCTV And Third-Party Data
Some SARs are straightforward (e.g., a customer wants a copy of their contact details). Others are more complex.
Employee SARs
Employee SARs often involve large volumes of emails, chat messages and HR files. Be systematic:
- Search professional accounts (email, Slack, HRIS) and any reasonable locations where you process staff data.
- Redact colleagues’ personal data where disclosure isn’t reasonable.
- Apply exemptions where appropriate, such as management forecasting or negotiations, or legal privilege regarding ongoing disputes.
If you operate a bring-your-own-device environment, ensure your policy covers data access and retention. Expect to search business data even if it’s on personal devices used for work. Employers should pay close attention to privacy risks with mobile devices - our guide on work phones vs BYOD highlights common GDPR pitfalls.
CCTV And Audio
If you use CCTV at your premises (or audio recording), SARs can include requests for footage containing the requester. You’ll need to:
- Identify footage featuring the individual (using timestamps/locations provided)
- Blur or mask third parties where reasonably possible before disclosure
- Consider retention periods - deleting CCTV too quickly can frustrate lawful access; holding it too long creates risk
When collecting any surveillance data, be clear in your Privacy Policy about purposes and retention, and ensure signage and DPIAs are in place.
Cloud Storage And Searching
Many SAR headaches come from scattered data. If you’re using cloud tools, make sure your storage and sharing practices align with UK GDPR. Our explainer on Google Drive covers common compliance questions and settings to check so you can search and export data efficiently.
Children’s Data
If a parent or guardian makes a SAR on behalf of a child, you’ll need to confirm parental responsibility and assess the child’s capacity to make their own decisions. Be cautious and proportionate - the child’s best interests come first.
Mixed Files And Third Parties
Emails and files often include multiple people. You’ll usually disclose the requester’s data and redact others’ personal data, unless you have consent or it’s reasonable to disclose without harming their rights. Keep a clear note of your redaction decisions.
How To Build A Repeatable SAR Process In Your Business
Responding lawfully to SARs shouldn’t be a fire drill. A few simple building blocks will save you hours later.
1) Create A SAR Playbook
Document a step-by-step procedure with roles, deadlines, search locations, redaction guidelines and approval steps. Include template emails for acknowledgement, ID verification, clarification, extension, refusal and disclosure.
2) Provide An Easy Request Channel
Make it simple for individuals to make requests so they don’t scatter them across social DMs. Many businesses implement an Access Request Form linked from their website and Privacy Policy - you still need to accept SARs via other channels, but a form helps capture the details you need.
3) Keep Your Data Map Up To Date
You can’t disclose what you can’t find. Maintain a basic record of processing: systems used, data categories, processors, locations and retention periods. This also helps you keep your Privacy Policy accurate.
4) Train Your Team
Frontline staff should recognise a SAR on sight and know who to escalate it to. Teach them that a request doesn’t need legal jargon - if someone asks for “the data you hold about me,” that’s enough.
5) Standardise Supplier Contracts
You’re required to ensure your processors assist with SARs. Put this obligation in each Data Processing Agreement and, where relevant, in any Data Sharing Agreement between controllers. That way, when you need exports or redactions from a vendor, there’s a clear turnaround and secure transfer method.
6) Tidy Up Your Front Door
If your website drops analytics or marketing cookies, ensure your consent tools are compliant - clear choices and no pre-ticked boxes. Well-configured cookie banners reduce complaints (and SAR volume) by setting expectations upfront.
7) Use A Practical Redaction Workflow
Adopt tools that support redaction (PDF editors, video blurring for CCTV) and keep a sign-off step for sensitive disclosures. For large volumes, consider a phased disclosure: prioritise high-signal items first and schedule the remainder if you’ve agreed an extension.
8) Have A Proportionate Retention Policy
Retain data only as long as needed. Good retention hygiene means less to search, review and redact - and lowers your overall risk. Make sure your systems actually apply the retention rules you’ve set.
9) Know When To Ask For Help
It’s okay to seek legal input for complex requests, especially where exemptions, privilege, employee relations or complaints are in play. Getting the tough ones right protects your business and builds trust with the ICO if a complaint arises.
Frequently Asked Questions About SARs
Do I Have To Provide Original Documents?
No. You must provide the requester’s personal data, which can be presented in a new document or extract. You don’t have to provide entire documents if they contain others’ data or confidential material - redaction or summaries are acceptable, provided the requester gets their personal data.
Can I Charge A Fee?
Generally, no. You can charge a reasonable administrative fee only if the request is manifestly unfounded or excessive, or for additional copies beyond the first.
Can I Refuse A SAR?
Yes, but only in limited circumstances (e.g. manifestly unfounded, excessive, or where a specific exemption applies). Document your decision in detail and consider offering the requester a narrowed scope. Our overview of SAR exemptions outlines when refusal may be justified.
What Happens If I Miss The Deadline?
The individual can complain to the ICO and you could face enforcement action. Even if no fine is issued, dealing with an investigation costs time and reputation. Set reminders early and use the two-month extension where it’s genuinely needed - but notify on time. If you’re unsure about timing rules, revisit SAR deadlines.
How Do SARs Relate To My Wider Compliance?
In practice, SAR-readiness is a great stress test for your privacy posture. If you can’t quickly find, export and securely share personal data, it’s a sign you should refresh your data map, contracts with processors, and your GDPR Package of documents and policies.
Key Takeaways
- When you receive a SAR, the one-month deadline starts immediately - verify identity, clarify scope if needed, and map out your searches early so you stay on track.
- You must provide the requester’s personal data and required privacy information, usually electronically and free of charge; you can extend the deadline by two months if the request is complex (notify within the first month).
- Redact third-party data and only rely on exemptions where they clearly apply; keep a detailed audit trail of your decisions in case the ICO asks questions.
- Tricky SARs often involve employee emails, CCTV and mixed files - use proportionate searches, robust redaction, and secure transfer methods.
- A simple SAR playbook, clear request channel, up-to-date data map and strong processor contracts will make responding faster and safer every time.
- Your core privacy assets - a current Privacy Policy, well-drafted Data Processing Agreement and practical cookie controls - reduce SAR risk and improve compliance overall.
- If a request looks excessive, repetitive, or engages complex exemptions, get tailored advice before refusing or charging a fee to avoid regulatory headaches.
If you’d like help setting up a SAR process, reviewing a specific request, or getting your privacy foundations in place, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
