How To Respond To A Subject Access Request (SAR) Under GDPR In the UK

If you run a UK business, chances are you’re handling personal data every day - customer orders, enquiries, CCTV footage, employee records, marketing lists, even WhatsApp messages on work phones.

That means, sooner or later, you may receive a Subject Access Request (often shortened to “SAR”). Under the UK GDPR, a SAR gives individuals the right to ask you for a copy of their personal data and supporting information about how you use it.

This guide explains what “SAR GDPR” obligations look like in practice, how to respond confidently, and how to avoid the common pitfalls that can lead to complaints, delays, and unnecessary risk.

What Is A SAR Under GDPR (And Why Do Small Businesses Need To Take It Seriously)?

A Subject Access Request is a request made by an individual (the “data subject”) to access their personal data. In the UK, SAR rights come from the UK GDPR, alongside the Data Protection Act 2018.

A SAR request under GDPR can come from:

• a customer (e.g. “send me all the information you hold about me”)
• a lead or website user (e.g. “what personal data do you have from my enquiry?”)
• an employee or ex-employee (e.g. “I want copies of emails about me”)
• a contractor, supplier contact, or anyone else whose personal data you hold

For small businesses, SARs can feel disruptive - especially when data is spread across inboxes, cloud drives, CRM tools, messaging apps, and paper files. But the key point is this: you can’t ignore a GDPR SAR, even if it’s inconvenient or you suspect the person has another motive (for example, a dispute or grievance).

If you want a deeper overview of the right itself and what counts as “personal data”, Subject Access Request rules apply broadly - not just in big corporates, and not just in HR situations.

What Counts As “Personal Data” For A SAR?

Personal data is information that relates to an identified or identifiable person. In a SAR GDPR context, this can include:

• contact details (name, email, phone number, address)
• account and purchase history
• support tickets, complaint logs, call recordings, and chat transcripts
• CCTV footage (if it identifies them)
• internal notes, incident reports, and meeting notes (where the individual is identifiable)
• emails or messages that mention them (even if the email isn’t “about” them)

It’s not limited to “formal records”. If it’s personal data, it can potentially fall within the scope of a GDPR SAR.

When Has Someone Actually Made A GDPR SAR?

A very common mistake is thinking a SAR has to use particular wording. It doesn’t.

A SAR request under GDPR can be made verbally or in writing, and it can be informal. For example:

• “Can you send me everything you have on me?”
• “I want a copy of my data.”
• “What information are you holding about me?”

If the message is clearly asking for their personal data, you should treat it as a SAR and start your response process. You can still ask clarifying questions (especially if it’s broad), but you should not delay unnecessarily.

Can You Ask Them To Use A Form Or A Specific Email Address?

You can offer a standard process (for example, “please email privacy@yourcompany.co.uk”), but you generally shouldn’t refuse to act just because they didn’t follow your preferred channel. The safest approach is to:

• acknowledge the request promptly
• confirm you’re treating it as a SAR GDPR request
• ask for any clarification you need
• start gathering data as soon as possible

Having a clear written internal process helps a lot here - especially if different team members handle customer support, HR, and IT.

Key SAR GDPR Deadlines And What You Must Provide

How Long Do You Have To Respond To A SAR Under GDPR?

In most cases, you have one month to respond to a SAR.

The clock generally starts when you receive the request, but it can be paused while you’re reasonably waiting for the person to provide ID (where needed) or to clarify what they’re asking for. If you need to verify identity or clarify scope, you should do that quickly and keep a clear record of communications.

You may be able to extend the deadline by up to two further months if the request is complex or you’ve received multiple requests from the same individual. But if you extend, you should inform them within the first month and explain why.

Timing is often where businesses come unstuck, so it’s worth building a repeatable workflow. If you want a practical breakdown of how to manage response timeframes, SAR deadlines are worth getting across early.

What Information Do You Have To Provide?

A GDPR SAR response isn’t only “here’s the data”. In practice, your response should usually include:

• confirmation that you process their personal data
• a copy of the personal data (where applicable)
• supplementary information such as:
  • your purposes for processing the data
  • categories of personal data
  • who you share it with (or categories of recipients)
  • how long you keep it (or the criteria used)
  • their other rights (rectification, erasure, restriction, complaint to the ICO)
  • where you collected the data from (if not directly from them)
  • details of automated decision-making/profiling (if applicable)

In other words, a SAR GDPR response is partly a data export and partly a transparency report.

Do You Have To Provide The Data For Free?

Usually, yes - SAR responses should be provided free of charge.

You can charge a “reasonable fee” in limited circumstances (for example, if the request is manifestly unfounded or excessive, or if they request additional copies). But you should be cautious here: charging fees without a solid basis can increase complaint risk.

Step-By-Step: How To Respond To A SAR Request Under GDPR

If you want your team to handle SAR GDPR requests calmly and consistently, it helps to treat SARs like a mini-project with clear stages.

1) Log The Request And Assign An Owner

As soon as you receive the request:

• create a simple SAR log entry (date received, requester name, channel, summary)
• assign a responsible person (often the business owner, office manager, HR lead, or privacy lead)
• calendar the one-month deadline

This is also the point to consider whether you need external support, particularly if the request relates to an employee dispute or could end up in litigation.

2) Acknowledge The Request Promptly

You don’t have to respond with the full pack immediately, but you should acknowledge it quickly and professionally.

Your acknowledgement can:

• confirm you’re treating it as a GDPR SAR
• request proof of identity (if appropriate)
• ask the person to clarify scope (if very broad)
• confirm the deadline (and that you’ll respond sooner if possible)

Many businesses use a standard form to keep responses consistent. If you’re building your process, having something like an access request form can reduce ambiguity and help you capture the essentials.

3) Verify Identity (Only If Needed)

You should take reasonable steps to confirm the person is who they say they are. This matters if you might otherwise disclose personal data to the wrong person.

But keep it proportionate. If the requester is an existing customer emailing from their known account, you may not need additional ID. If it’s an ex-employee using a new email address, you might.

4) Search For The Data Systematically

This is usually the biggest part of the work. Build a checklist of where personal data could exist, such as:

• email accounts (including archived mailboxes)
• HR systems and payroll (for employees)
• CRM and marketing platforms
• support ticketing tools
• cloud storage (Google Drive, OneDrive, Dropbox, etc.)
• instant messages (Teams/Slack/WhatsApp, depending on your setup)
• paper files and scanned PDFs
• CCTV and access control logs

If your team uses personal devices for work, SAR handling can get tricky fast. This is one reason it’s smart to have clear internal rules and training around data handling and access.

5) Review, Redact, And Apply Exemptions Carefully

You’re expected to provide the requester with their personal data - but that doesn’t automatically mean you must disclose everything in raw form.

Common issues include:

• third-party data in emails or documents (you may need to redact names or identifying details)
• legally privileged material (for example, confidential legal advice)
• confidential references (in certain contexts)
• management forecasting or negotiations (in limited cases)

In employment-related SARs, businesses often ask: “Can we withhold certain documents?” The answer is sometimes yes - but exemptions are fact-specific, and you’ll usually need to balance the requester’s rights against other legal obligations (including third-party privacy). This is where many employers slip up, so it’s worth understanding what employers can withhold before you disclose documents that could create other risks.

6) Prepare The Response Pack And Deliver It Securely

Once you’ve collected and reviewed the data, you’ll need to send it securely. Practical tips include:

• use password-protected files (and share the password separately)
• avoid sending sensitive bundles to the wrong email address
• keep a clear record of what you disclosed and when

You should also include the required supplementary information (purposes, retention, recipients, etc.), not just attachments.

7) Keep Records And Improve Your Process For Next Time

After closing the SAR:

• update your SAR log with completion date and summary
• store a copy of the final response (securely, with limited access)
• note any process issues (data scattered across tools, missing retention policy, unclear ownership)

Over time, improving your underlying data governance makes SAR GDPR compliance much easier. For example, if you don’t have clear retention periods, you might end up searching years of irrelevant records. Getting on top of data retention is often the difference between a manageable SAR and a business-stopping one.

Common SAR GDPR Mistakes (And How To Avoid Them)

Most SAR problems aren’t caused by bad intentions - they happen because a business is busy, the request feels vague, or the data is messy.

Here are some of the most common pitfalls we see in practice.

Missing The One-Month Deadline

If you think you might miss it, don’t go silent. Communicate early, explain what you’re doing, and assess whether an extension is justified.

Disclosing Too Much (Or The Wrong Things)

It’s surprisingly easy to:

• include third-party data by accident
• hand over internal commentary that isn’t required (or isn’t wise to disclose without review)
• release legally privileged documents

A structured review and redaction stage is essential, particularly if the SAR is connected to a complaint or dispute.

Not Treating It Like A Business-Wide Search

A SAR GDPR response is rarely limited to one system. If only one team searches (for example, HR or customer support), you can miss data held elsewhere - and that can undermine your credibility if the requester complains to the ICO.

Not Having Clear Privacy Documents In Place

Remember: the requester can ask questions about how and why you process data, how long you keep it, and who you share it with. If your business hasn’t documented those practices, responding becomes harder and riskier than it needs to be.

Even a small business collecting enquiries through a website should usually have a Privacy Policy that reflects what you actually do.

Key Takeaways

• A SAR under GDPR can be informal, verbal, and doesn’t need to use the words “subject access request” to count - if someone asks for their personal data, treat it as a SAR.
• Most businesses have one month to respond to a GDPR SAR, but the time limit can be paused while you’re reasonably waiting for ID (where needed) or clarification of the request, and you may only extend in limited situations (and you should tell the requester within the first month).
• A SAR GDPR response usually requires both a copy of personal data and supporting information about how and why you process it, who you share it with, and how long you keep it.
• Your response process should be systematic: log the request, acknowledge it, verify identity if needed, search all relevant systems, review/redact carefully, and deliver securely.
• You may be able to withhold or redact certain information (for example, third-party data or legally privileged material), but exemptions are fact-specific, so apply them carefully and document your reasoning.
• Strong data retention and privacy practices make SAR requests far easier to handle and reduce the risk of complaints to the ICO.

If you’d like help setting up a SAR process, reviewing your privacy documentation, or responding to a tricky SAR GDPR request, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.