Subject Access Request Compensation in the UK: Respond Lawfully

If you process personal data, you’ll eventually receive a subject access request (SAR). Most are routine. But if you get it wrong, you could face complaints to the ICO, reputational damage, and even claims for subject access request compensation.

Don’t stress-once you understand when compensation risk arises and how to run a clean SAR process, you can handle requests confidently and protect your business from day one. This guide breaks down what SAR compensation is, when you might be liable, and the practical steps to reduce risk under UK GDPR and the Data Protection Act 2018.

What Is Subject Access Request Compensation Under UK GDPR?

Under the UK GDPR and the Data Protection Act 2018, every individual has the right to access their personal data that you process-this is often called a “subject access request” or “SAR.” If a business breaches data protection law-for example, by failing to respond to a valid SAR, disclosing data it shouldn’t, or responding late-an individual can seek compensation for damage suffered.

Two types of damage can qualify:

• Material damage (financial loss): e.g. costs or losses caused by a breach or wrongful disclosure.
• Non-material damage (distress): e.g. anxiety, embarrassment or loss of control over personal data.

Compensation is pursued through the courts (not the ICO). The ICO can investigate and fine, but it cannot award compensation. In practice, individuals may raise complaints with the ICO first and then pursue compensation separately if they believe they have suffered damage.

Importantly, a SAR is about access rights-not damages. But how you handle a SAR can trigger wider data protection issues (e.g. unlawful disclosure of third-party data) that increase the likelihood of compensation claims. That’s why a robust process is essential.

When Could Your Business Owe Subject Access Request Compensation?

Compensation exposure usually arises where your SAR handling breaches data protection law and causes damage. Common scenarios include:

• Late responses without a lawful reason: Missing the one-month deadline (or extension rules) can be a breach. Repeated delays, poor communication or ignoring requests increases risk.
• Over-disclosure of third-party data: Sending someone else’s personal data by mistake (for example, forwarding emails containing mixed data) can cause both material and non-material damage.
• Disclosing legally privileged or confidential information: Failing to identify privileged material before disclosure may harm your legal position and trigger claims.
• Failing to verify identity: Sending personal data to the wrong person is a classic-and costly-mistake.
• Unlawful refusal or unreasonable limitation: Refusing a valid request, or narrowing it without good reason, can be a breach.
• Security failures during SAR delivery: Using insecure channels or misdirecting documents can create a secondary personal data breach.

How much compensation could be payable? Awards vary widely. Courts look at the seriousness of the breach, the nature and sensitivity of the data, the steps you took to prevent harm, and the actual damage suffered. While minor issues may lead to modest sums, systemic failures or serious disclosures can escalate quickly-especially if multiple people are affected.

Good news: most compensation risk is avoidable with a disciplined process, documented decisions, and timely communication.

Practical Steps To Handle SARs And Cut Compensation Risk

You’ll reduce compensation exposure by building a repeatable, documented SAR process that your team can run consistently. Here’s a practical checklist that aligns with UK GDPR obligations.

1) Centralise Intake And Verify Identity

• Direct all requests to a single mailbox or form (for example, an Access Request Form) and immediately log the date received.
• Verify the requester’s identity before you disclose anything. If the data is sensitive or you have doubts, ask for reasonable additional information.
• Explain what you need and pause disclosure until verification is complete. The one‑month timer can start after you receive the necessary information if the request was unclear or identity was not established.

2) Acknowledge Quickly And Explain The Timeline

• Send a friendly acknowledgement and state the expected response date. This sets expectations and reduces escalation risk.
• If the request is complex, large in scope, or you’ve received multiple requests from the same person, consider a lawful extension (up to two months more). Document the reason and notify the individual within the first month, as required.
• For time calculations and common pitfalls, bookmark guidance on SAR deadlines and how to manage them in practice.

3) Clarify Scope (Without Unlawfully Delaying)

• If a request is very broad, invite the individual to narrow it (e.g. timeframes, systems, keywords). You still need to make reasonable efforts to search where narrowing isn’t provided.
• Keep a record of how you’ve agreed the scope-it helps demonstrate reasonableness if your decisions are later challenged.
• Have a standard operating procedure for searching systems (email, HR files, messaging apps, backups) and documenting what was included or excluded.

4) Apply Exemptions Carefully And Redact Where Needed

• Review for legal privilege, confidential references, management forecasting, and third‑party data. Where possible, redact rather than refuse entirely.
• If relying on an exemption or refusing part of a request, explain the legal basis plainly and record your reasoning.
• For a practical walk‑through of when you can refuse, pause or trim a request, read about SAR exemptions.

5) Disclose Securely And Provide Mandatory Information

• Deliver via a secure channel and double‑check recipients and attachments to avoid accidental disclosure.
• Include the required information: the purposes of processing, categories of data, recipients, retention, source details, and rights (e.g. to complain to the ICO).
• Where feasible, provide a copy of the personal data in a commonly used, accessible format.

6) Adopt A Written Playbook And Train Staff

• Use a step‑by‑step workflow for your team, including template acknowledgements and response letters. A good starting point is this practical overview on responding effectively to SARs.
• Train managers (especially HR and customer support) to spot SARs, route them correctly, and avoid ad‑hoc responses.
• Keep a SAR register with dates, decisions, and outcomes. This audit trail is invaluable if a complaint or claim arises.

7) Get Your Documentation In Order

• Make sure your public‑facing Privacy Policy clearly explains rights of access and how people can submit requests.
• If you share data with other organisations, align responsibilities with a Data Sharing Agreement and clarify who handles SARs.
• Where you use processors (cloud tools, outsourced support), ensure your Data Processing Agreement compels timely assistance with SARs, secure handling and deletion obligations.

Want a deeper, step‑by‑step run‑through? This guide to the essential steps for responding to SARs walks through intake, scoping, exemptions and disclosure in more detail.

Can You Refuse, Pause Or Narrow A SAR? (Exemptions And Limits)

You can’t refuse a valid SAR because it’s inconvenient or time‑consuming. However, the law allows certain limits when appropriate. The key is to apply them narrowly, document your reasoning, and communicate clearly with the requester.

• Manifestly unfounded or excessive: You may refuse or charge a reasonable fee if a request is clearly made in bad faith or is repetitive/excessive. Be cautious-this is interpreted strictly, so document why you think the threshold is met.
• Legal professional privilege: You don’t need to disclose privileged communications. Take care to identify and segregate these documents.
• Third‑party data: You should avoid disclosing other people’s personal data unless you have consent or it’s reasonable to disclose. Redaction is your friend.
• Negotiations and management information: In limited circumstances, information relating to ongoing negotiations or management forecasting may be withheld if disclosure would prejudice those processes.
• Confidential references: References you provide for employment or education can be exempt in some cases.

Timing matters. Generally, you must respond within one month of receipt, starting the following day, with scope to extend where requests are complex or numerous. For a practical calculator and timeline tips, keep this guide to mastering SAR deadlines handy.

If you rely on an exemption, tell the requester why (in plain English) and signpost their right to complain to the ICO. Transparent, well‑reasoned decisions reduce escalation-if someone understands what you did and why, they’re less likely to jump straight to a compensation claim.

High-Risk SAR Scenarios For SMEs (Employees, CCTV, Emails)

Some SARs are more likely to cause headaches than others. A few situations routinely trip up small businesses:

Employee And Ex‑Employee SARs

Workplace SARs can be wide in scope (e.g. “everything about me including emails, chats and HR notes”). Risks include over‑disclosing third‑party staff data, revealing legally privileged content (e.g. advice about a grievance or disciplinary), or failing to search reasonably across systems.

• Search HR systems, inboxes the employee used, shared drives and relevant messaging tools.
• Use keyword filtering and date limits to focus the search. Offer to refine scope, but don’t ignore reasonable searches.
• Redact names and identifiers of other employees where appropriate, and consider exemptions carefully.

CCTV And Audio

People often request CCTV footage of themselves. You’ll need to locate the relevant footage, export it securely and, if other people are visible, consider redaction (blur faces) or assess whether disclosure is reasonable. Be realistic about retention periods-if your system overwrites after 30 days and the request comes after that, explain the retention policy clearly.

Email Threads And Mixed Data

Email chains often contain multiple people’s data, internal opinions and potentially privileged content. A line‑by‑line review is often required. Don’t forward raw threads; instead, extract what’s the requester’s personal data and redact lawfully. If you use cloud tools to store or search emails, make sure they’re configured securely-this piece on Google Drive and GDPR compliance highlights the types of controls you should have in place.

Data You Didn’t Realise You Held

SARs can surface hidden pockets of personal data (screenshots in Slack, spreadsheets in a personal drive, or archived inboxes). This is why data mapping and clear rules about where staff save files are key. Good governance now can save you hours-and reduce the chance of accidental over‑disclosure-later.

Requests That Morph Over Time

It’s common for a requester to add to their SAR after you start work. Keep a clear paper trail about what’s in scope and what counts as a new request (which may reset timing). Consistent communication helps avoid arguments about deadlines and reduces compensation risk tied to alleged delays.

Sharing Without Consent

Remember, you can share personal information without consent in specific, lawful circumstances (for example, where it’s necessary for legal obligations). If this comes up during a SAR, make sure you’re comfortable with the legal basis-this overview of when businesses can share personal information without consent is a helpful refresher.

What To Do If You Receive A Compensation Claim Or Pre‑Action Letter

Even with a solid process, you might receive a letter before action or a claim alleging distress or financial loss arising from your SAR response. Here’s a calm, structured approach.

• Don’t ignore it: Acknowledge receipt quickly and set a reasonable timeframe for your full response.
• Review the SAR file: Pull your SAR register entry, search logs, exemption assessments, and copies of communications and disclosures. A tidy paper trail is your best defence.
• Check the allegations against the facts: Did you miss a deadline? If so, did you lawfully extend? Was identity verified? If there was an error, what remediation steps were taken?
• Assess damage: Claims require damage. If the requester alleges distress, review the seriousness and whether your actions reasonably caused it. This informs any settlement strategy.
• Consider settlement without admission: For low‑value disputes, a pragmatic commercial resolution can be cheaper than prolonged correspondence, especially if you can show strong compliance overall.
• Notify insurers where relevant: Check any cyber or professional liability cover terms and notification deadlines.
• Tighten your process: Use incidents as learning opportunities-update templates, training and playbooks to prevent repeat issues.

If you receive simultaneous ICO correspondence, cooperate professionally. The ICO’s focus is usually on your process and compliance posture. Demonstrating that you have policies, training, solid deadlines control and clear decision‑making can significantly reduce regulatory heat and claim leverage.

Key Takeaways

• Subject access request compensation is awarded by the courts where an individual suffers material or non‑material damage from a data protection breach-often tied to late, unlawful or careless SAR handling.
• Your biggest risks are over‑disclosure, missed deadlines, poor identity verification, and weak security during disclosure. A disciplined process is the best defence.
• Centralise intake, verify identity, clarify scope, document searches, apply exemptions carefully, and disclose securely-with a strong audit trail at every step. This practical guide to the essential steps for responding to SARs is a useful checklist.
• Know the limits: you can refuse or narrow requests only in specific circumstances. If you rely on an exemption or extension, document your reasons and communicate clearly-resources on deadlines and exemptions will help you stay on track.
• Strengthen your legal foundations: maintain a clear Privacy Policy, lock in obligations with processors via a Data Processing Agreement, and set responsibilities with partners in a Data Sharing Agreement.
• If you receive a pre‑action letter, respond promptly, review your SAR file, assess alleged damage, consider pragmatic resolution, and notify insurers if applicable. Use the experience to tighten internal processes and training.

If you’d like tailored help setting up a robust SAR process or responding to a tricky request, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.