Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you run a small business, a subject access request (often shortened to “SAR”) can feel like a big admin task that lands on your desk out of nowhere.
But there’s another reason you should take SARs seriously: the risk of subject access request compensation. In the right circumstances, a customer, employee, or other individual can claim compensation from your business if you breach their data protection rights and they suffer harm.
The good news is that most compensation risk is avoidable with the right processes, sensible timelines, and clear documentation. Below, we’ll break down how SAR compensation works in the UK, what typically triggers claims, and what you can do to protect your business while staying compliant with the UK GDPR and the Data Protection Act 2018.
What Is “Subject Access Request Compensation” In The UK?
A subject access request is a request by an individual to access the personal data your business holds about them. In the UK, SARs are mainly governed by the UK GDPR (and supported by the Data Protection Act 2018).
In simple terms, subject access request compensation is money an individual may be able to recover from your business if:
- you breach data protection law (including by mishandling a SAR), and
- the individual suffers damage as a result.
“Damage” can include:
- Material damage (financial loss), for example where poor handling causes loss of money or opportunities; and/or
- Non-material damage (distress), for example anxiety or upset caused by the way a business handled personal information (usually more than minimal or trivial distress).
For small businesses, it’s important to understand that SAR compensation claims are usually less about “someone wants their file” and more about how your business handles personal data in practice. A SAR can quickly become contentious if the requester believes you’re hiding information, delaying, or mishandling sensitive details.
If you want a practical refresher on the SAR basics (especially in an employment context), it’s worth understanding the typical workflow in Subject Access Requests.
When Can A SAR Lead To Compensation Risk For Your Business?
A SAR by itself doesn’t automatically create liability. The compensation risk tends to increase when a SAR exposes (or is linked to) broader data protection issues inside the business.
Common triggers we see in practice include:
1) Missing The Deadline (Or “Ghosting” The SAR)
In most cases, you must respond to a SAR within one month. Extensions can apply in limited circumstances (for example, where the request is complex or you’ve received multiple requests) and can be up to a further two months - but you generally need to tell the requester within the original one-month period and explain why.
Even if you ultimately respond, long delays can create frustration and complaints. If the individual can show they suffered distress or loss because of how you handled the request, that’s where a subject access request compensation claim may come into play.
Timelines matter, so it’s worth having a process built around SAR deadlines rather than scrambling each time a request lands.
2) Incomplete Searches Or “Convenient” Data Gaps
A frequent problem is a business searching only the obvious places (like one inbox), while overlooking other sources such as:
- shared drives and cloud folders
- CRM systems, booking systems, and helpdesk tickets
- staff chat tools
- personal devices used for work (BYOD)
- archived emails (and, in some cases, backups where they’re readily accessible without disproportionate effort)
If a requester later discovers missing messages or records, they may allege the business failed to comply properly. That can quickly escalate into an ICO complaint, and in some situations, a compensation claim.
3) Disclosing Too Much (Especially Third-Party Information)
Businesses often focus on not disclosing enough data. But disclosing too much can be just as risky.
A SAR response may contain third-party data (for example, other employees’ personal data). If you provide that incorrectly, you can create a second issue: an unauthorised disclosure (which can look a lot like a data breach).
This is why it’s crucial to understand what information you can lawfully redact or withhold. A helpful starting point is what you can withhold in a SAR response (because yes, sometimes you can withhold or redact information, but you need to do it properly and for the right reasons).
4) Poor Communication And A Defensive Tone
Small businesses are busy, and it’s tempting to be short with a requester-particularly where there’s an employment dispute or a customer relationship has soured.
But tone and clarity matter. If a requester feels stonewalled, they’re more likely to complain to the ICO and explore compensation routes.
A calm response that:
- acknowledges the request,
- confirms what ID you need (if any),
- clarifies scope (without making it hard for them), and
- gives a realistic timeline
…can significantly reduce escalation risk.
How Much Compensation Could Be Claimed For A SAR Issue?
There isn’t a single fixed amount for subject access request compensation in the UK. The value depends on the facts, including:
- the seriousness of the breach
- how long the issue continued
- the sensitivity of the data involved (for example health information)
- the impact on the individual (financial loss and/or distress)
- how your business responded once the issue was identified
In practice, many SAR disputes don’t end in large payouts-but they can still cost you time, legal fees, reputational damage, and management distraction.
From a business perspective, it’s also important to remember that compensation risk often sits alongside:
- ICO complaints and regulatory scrutiny (which can require significant internal work to resolve); and
- related employment or consumer disputes where the SAR is used to gather information.
Even where compensation is modest, the overall cost to your business can add up quickly if you don’t have a repeatable process.
Practical Steps To Reduce SAR Compensation Risk (A Small Business Playbook)
If you want to reduce the risk of a SAR turning into a compensation claim, focus on two things: compliance (doing what the law requires) and defensibility (being able to prove you handled it properly).
1) Put A Clear SAR Intake Process In Place
You don’t need a huge compliance department to handle SARs well. But you do need a consistent process that covers:
- where requests should be sent (email address or form)
- who internally “owns” the process
- how you verify identity (when appropriate)
- how you clarify scope without delaying unnecessarily
- how you document searches and decisions
This becomes much easier when your policies are aligned-especially where staff are creating lots of data through emails, chat tools, and device usage. For businesses with staff, internal rules like an Acceptable Use Policy can reduce messy data sprawl and make SAR searches far more manageable.
2) Build Your Response Around The Deadline (And Document Extensions Properly)
Most SAR problems come from time pressure. A good approach is to work backwards from the one-month deadline and set internal milestones, for example:
- Day 1–2: acknowledge request and confirm ID requirements (if needed)
- Day 3–10: clarify scope and start searches across systems
- Day 10–20: review, redact, and apply exemptions where needed
- Day 20–30: final quality check, prepare secure delivery, send response
If you need an extension (for complex requests), you generally need to tell the requester within the initial month, explain why, and confirm the extended deadline (which can be up to a further two months). The key is to be transparent and keep a paper trail.
3) Have A “Data Map” So You Know Where Personal Data Lives
SARs become difficult when you don’t know what systems you use, what data is in them, or who controls them.
Even a simple data map (a spreadsheet is fine) should list:
- the systems you use (email, accounting, CRM, HR platform, marketing tools)
- the types of personal data stored there
- who has admin access
- how long you keep it (retention)
This isn’t just for SARs. It also helps if you ever have to respond quickly to a suspected breach. Having a Data Breach Response Plan in place can be a lifesaver when an incident overlaps with a SAR (which is more common than you’d think).
4) Be Careful With Monitoring Data (It Often Ends Up In SARs)
If your business monitors staff devices, emails, or workplace systems, you should assume those logs, reports, and communications could be requested in a SAR.
This creates two practical issues:
- Volume: monitoring generates large amounts of data, making SAR searches harder and slower; and
- Sensitivity: monitoring data can be intrusive, so mishandling it can increase distress-based compensation arguments.
If your workplace uses monitoring tools, it’s worth pressure-testing your compliance approach against employee computer monitoring obligations and making sure your internal communications are consistent and well documented.
5) Redact Carefully, And Keep Notes On Why
Redaction is often necessary, but it’s also where businesses get into trouble.
As a rule of thumb:
- only redact what you have a genuine legal basis to redact
- keep a short written note explaining the reason (for example, third-party privacy)
- don’t redact to avoid embarrassment-if the data is the requester’s personal data, they’re generally entitled to it
This is also where tailored legal advice can save you a lot of risk, especially if the SAR relates to a dispute, grievance, disciplinary process, or threatened claim.
How Do SAR Complaints And Compensation Claims Usually Play Out?
From a small business perspective, it helps to know what “the path” often looks like so you can de-escalate early.
Step 1: The Requester Chases Or Complains
If you miss deadlines or your response feels incomplete, the requester may send follow-up emails asking where things are. This is your chance to reset the tone and get back on track.
Step 2: ICO Complaint
Many SAR disputes escalate to the Information Commissioner’s Office (ICO). The ICO can ask your business for information about how you handled the request.
Even if the ICO doesn’t fine you, the process can be time-consuming and stressful. The best defence is being able to show:
- you responded on time (or properly extended)
- you conducted reasonable searches
- you applied redactions/exemptions appropriately
- you communicated clearly and professionally
Step 3: Compensation Discussions Or A Formal Claim
Compensation might be raised directly by the requester, through solicitors, or as part of a wider dispute (for example an employment dispute where the SAR is part of the evidence gathering).
At this stage, what matters is whether the requester can link:
- a breach of data protection law, to
- actual damage (financial loss and/or distress).
If your records show you acted reasonably and lawfully, that can help you defend or narrow the claim significantly.
Key Takeaways
- Subject access request compensation can arise where your business breaches data protection law and an individual suffers financial loss and/or (more than trivial) distress.
- Common SAR compensation risk triggers include missed deadlines, incomplete searches, poor handling of redactions, and accidental disclosure of third-party data.
- A simple but consistent SAR process (acknowledgement, ID checks, scope, searches, review, secure delivery) can prevent most disputes from escalating.
- Documenting your decision-making is crucial-especially where you apply exemptions, redact information, or extend deadlines due to complexity.
- Monitoring data, staff communications, and scattered systems often make SARs harder; clear internal policies and good data mapping can reduce risk and cost.
- If a SAR is linked to a dispute, getting tailored legal advice early can help you respond confidently and avoid creating extra exposure.
This article is general information only and isn’t legal advice. If you’d like advice on your specific situation, get in touch with a lawyer.
If you’d like help with your SAR process, responding to a difficult request, or tightening up your GDPR compliance documents, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
