Subject Access Request Law in the UK: What Small Businesses Need

If you handle customer, staff or supplier information, subject access request law isn’t optional - it’s a core part of your GDPR compliance. Getting SARs right protects trust, avoids ICO complaints and fines, and saves your team a huge amount of time.

In this guide, we’ll explain what subject access requests (SARs) mean for your small business, the legal rules you must follow under UK GDPR and the Data Protection Act 2018, and a simple, repeatable process you can adopt to respond confidently. We’ll also flag common pitfalls (like email trawls and third‑party data) and how to reduce risk with good policies, contracts and training.

What Is A Subject Access Request Under UK Law?

A subject access request is a request from an individual for a copy of their “personal data” and related information you hold about them. The right of access is set out in Article 15 of the UK GDPR and supplemented by the Data Protection Act 2018 (DPA 2018).

In practice, a SAR could be as formal as a letter referencing “Article 15” or as simple as a customer emailing “please send me all the information you hold about me.” It doesn’t need to mention “subject access” to be valid, and it can arrive through any channel (email, web chat, social media, even verbally).

As a controller, you’re responsible for recognising, recording and responding. If you use external providers (for example, cloud CRM or payroll), you remain accountable for the final response, even where the data sits with your processor.

If you’ve never handled one before, don’t panic - the rules are clear, and with a good process you can deal with subject access requests efficiently and lawfully.

What Does Subject Access Request Law Require You To Do?

UK GDPR and the DPA 2018 set out the ground rules for responding to SARs. Here’s what you need to know in plain English.

1) Time Limits

• Baseline deadline: One month from the day you receive the request.
• Extensions: You can extend by up to two months if the request is complex or you’ve received multiple requests from the same person. You must tell the individual within the first month that you’re extending and explain why.

Working out the timeline can be trickier than it sounds (for example, when the month ends on a weekend or if you’re waiting for ID). Having a clear diary system and being across the rules for SAR deadlines will help you avoid accidental breaches.

2) Identity Checks

You should take “reasonable steps” to verify identity before disclosing personal data. Ask only for what’s necessary - for example, a utility bill or the email address they registered with your service. Don’t create new privacy risks by requesting excessive ID documents.

3) Scope Of “Personal Data”

Personal data is any information that identifies (or could identify) a living person. That includes obvious items like names and email addresses, and less obvious items like device IDs, IP addresses, notes about performance, CCTV footage, call recordings and emails that mention the person.

It must relate to the person who made the request. For example, an internal email about a client’s account that names them will likely be “personal data” for SAR purposes; a sales report that includes their purchase as one line in an aggregated dataset may not be.

4) Format And Content Of Your Response

You must provide:

• A copy of the personal data itself (unless an exemption applies).
• Supplementary information such as: the purposes of processing; categories of personal data; recipients or categories of recipient; retention periods; the person’s rights (including complaint rights to the ICO); and where you obtained the data if not from the individual.

Data should be provided securely, in a commonly used electronic format where possible. Make sure the person can actually access it (e.g., avoid obscure file types or password schemes that are difficult to use).

5) Fees

You can’t normally charge for a SAR. You may charge a reasonable fee (or refuse to act) if a request is “manifestly unfounded or excessive,” particularly if it’s repetitive. If you intend to rely on this, document your reasoning carefully and consider offering a narrower scope first.

6) Third‑Party Data And Confidentiality

When personal data about the requester is intertwined with information about others (for example, another employee is named in an email), you must balance the requester’s right of access with the rights of third parties. Often this means redacting names or other identifiers where reasonable. Certain confidential information (like trade secrets) may also be protected.

7) Exemptions

The DPA 2018 includes a series of exemptions where you can withhold some or all data - for example, legal professional privilege, management information relating to business planning, confidential references you’ve given, crime and taxation, regulatory functions, and negotiations with the individual where disclosure would prejudice discussions.

Exemptions are nuanced - apply them narrowly, record your reasoning, and explain clearly (without revealing the exempt material) why something has been withheld. If in doubt, review the commonly used SAR exemptions and get advice.

How To Build A Compliant, Repeatable SAR Process

Small businesses don’t need a huge team to manage subject access request law effectively. A simple, documented workflow will do most of the heavy lifting and reduce the risk of errors under time pressure.

Step 1: Create A Single Front Door

Provide a clear contact point (for example, a privacy email address or web form) so requests aren’t lost in busy inboxes or social DMs. An access request form can help you collect essential details (identity, contact method, what data they want, relevant date range) without making the process burdensome.

Step 2: Acknowledge And Verify

Acknowledge receipt quickly and start the clock. If you need ID to verify the requester, ask promptly and explain that the one‑month deadline pauses until you receive it. Keep a log with dates, decision points and the scope you’re working to.

Step 3: Clarify Scope (Politely)

You can ask the individual to narrow their request if it’s broad (e.g., “all emails about me since 2014”). Suggesting search terms, date ranges, systems or specific interactions helps keep the process proportionate. Remember: you can’t refuse to act just because a request is wide - but you’re allowed to seek clarification to target your searches sensibly.

Step 4: Identify Systems And Owners

Map where personal data lives in your business. Typical places include:

• CRM and marketing tools
• Support platforms and chat logs
• Accounting and payment systems
• HR files, payroll, benefits portals
• Email, messaging apps and shared drives
• Call recordings and CCTV
• Project tools and ticketing systems

Nominate a system owner for each area so it’s clear who performs searches and by when.

Step 5: Search Thoroughly But Proportionately

You’re expected to make reasonable efforts. That usually means using defined search terms, relevant date ranges and sensible filters. You don’t have to routinely restore deleted archives or trawl every backup unless the data is readily accessible, but you should search the systems you actually use.

Step 6: Review, Redact And Apply Exemptions

Review results for third‑party data, confidential information and any relevant exemptions. Redact or withhold only where justified, and keep a short note of decisions. Pay special attention to emails and file threads - context matters, and snippets can introduce risks if not checked carefully.

Step 7: Provide The Response Pack

Bundle the personal data in a clear folder structure, include your covering letter with the required supplementary information, and provide secure access (for example, an encrypted zip or a secure download link). Always include ICO complaint rights and contact details in case the person has questions.

Step 8: Update Your Records

Record outcome, dates and decisions so you can demonstrate compliance if challenged. Use what you learned to improve searches next time (for example, adjust your data map or add a new search term to your playbook).

Common SAR Pitfalls For Employers And SMEs (And How To Avoid Them)

SARs often arrive at stressful moments - a grievance, disciplinary process or customer complaint. That’s when mistakes happen. Here are the traps we see most often.

“We Missed The Deadline”

Time slips when requests sit in a personal inbox or when teams go on holiday. Use a central intake, set internal deadlines a week ahead of the legal cut‑off, and be ready to extend where justified. A simple tracker and awareness of the deadline rules go a long way.

Searching The Wrong Places (Or Everywhere)

Either extreme is risky. Searching too narrowly misses relevant data; searching every system and backup burns time and money. A current, practical data map and a scoped search plan keep you in the “reasonable and proportionate” sweet spot.

Forgetting Third‑Party Data

Disclosing another person’s personal data is a common error. Train reviewers to spot names, emails, phone numbers and other identifiers, and to consider whether redaction or anonymisation resolves the issue. If disclosure is necessary and fair, you may be able to provide information with context rather than full identifiers.

Over‑Redacting (Or Over‑Using Exemptions)

Exemptions must be applied narrowly and with evidence. Over‑redaction can look evasive and trigger complaints. If you’re unsure, cross‑check your decisions against frequently used exemptions and keep a short justification note for your file.

Sending Data In Insecure Or Unusable Formats

ZIPs without passwords, unencrypted email attachments or obscure file types can all cause problems. Follow your security policy, use pragmatic encryption, and double‑check that links work before you hit send.

Thinking “No Record” Means “No Risk”

If you’ve deleted data, you may still need to explain your retention policy and when deletion occurred. Don’t invent data - but do provide meaningful information where the law requires it, like describing the categories of data you process and your retention approach.

How SARs Fit Into Your Wider GDPR Compliance

SARs don’t exist in a vacuum. They test the health of your overall privacy framework. If you can respond quickly and accurately, it usually means you’re doing the fundamentals well. If you’re scrambling, consider strengthening your GDPR foundations.

Have The Right Policies In Place

• External policy: Make your Privacy Policy clear, accessible and accurate. It should reflect your real processing, not generic wording.
• Internal policy: Keep a SAR playbook that sets out roles, timelines, search terms, exemptions, security steps and template communications.

Get Your Contracts In Order

If service providers process personal data for you (email, storage, CRM, payroll), you need a compliant Data Processing Agreement with each processor. This ensures cooperation with SARs, security obligations and deletion/return of data at the end of the service.

Where you share data with other controllers (for example, a partner brand running a joint promotion), use a Data Sharing Agreement to set out roles, lawful bases and SAR responsibilities.

Map Your Data And Set Retention Periods

A living data map (systems, owners, what data is stored, retention periods) saves hours during a SAR. Retention policies also reduce the volume you must search, because you’re not storing personal data longer than necessary.

Train Your Team

Make sure staff know how to recognise a SAR and who to alert. Include examples (“Please send me everything you hold about me”) and reinforce that a SAR can arrive via any channel. Training doesn’t need to be fancy - short refreshers and a quick reference guide are often enough.

Use Templates (But Tailor Your Responses)

Templates keep you consistent and save time - acknowledgement emails, ID requests, clarification notes, and response letters. Just remember to tailor the final response to the individual’s request. If you don’t have your own yet, start with a simple structure and build from experience, or consider creating a documented workflow and template pack alongside your SAR process.

Employee SARs: Special Considerations For UK Employers

Employee and ex‑employee SARs are increasingly common and can be time‑consuming. Here are the points that usually need extra attention.

Emails And Messaging Platforms

“All emails about me” can generate huge volumes. Work with the requester to focus on relevant timeframes, teams and keywords. Be especially careful with group threads, comments and docs that name multiple individuals - redaction is your friend.

Management Information And Negotiations

Some internal documents may be exempt (for example, management forecasting or documents revealing the thinking in ongoing negotiations with the employee). Apply exemptions carefully, keep a note, and provide what you can.

References And Whistleblowing

Confidential references you’ve given may be exempt; references you’ve received are treated differently. Whistleblowing reports often raise third‑party and safety concerns. Treat these with extra care and seek advice where needed.

Health Data

Health information is “special category data.” You can disclose it under a SAR, but ensure you have appropriate safeguards in place and consider whether disclosure could cause serious harm (a limited exemption may apply). Never disclose another person’s health information inadvertently when responding.

When Can You Refuse A Subject Access Request?

Subject access request law doesn’t let you simply decline because a request is inconvenient or broad. However, you can refuse (wholly or partly) in these situations:

• The request is manifestly unfounded (for example, malicious intent with no genuine desire for access).
• The request is manifestly excessive (for example, repetitive or disproportionate in the circumstances).
• A specific exemption applies under the DPA 2018 (for example, legal professional privilege).

If you refuse, you must explain why, tell the individual they can complain to the ICO, and inform them of their right to go to court. Where appropriate, offer a narrower scope or a reasonable fee for the actual administrative costs of fulfilling an excessive request. If you plan to rely on an exemption, refresh yourself on the most common exemptions before responding.

Quick Compliance Checklist For Your Business

• Provide a clear SAR contact route (email or access request form).
• Log requests immediately and calculate the one‑month deadline (considering the extension rules).
• Verify identity proportionately; don’t collect excessive ID.
• Clarify scope where helpful; suggest dates, systems and keywords.
• Search mapped systems thoroughly but proportionately.
• Review results for third‑party data, apply exemptions narrowly, redact where appropriate.
• Send data securely with required supplementary information and ICO rights.
• Update logs and refine your process based on lessons learned.

Key Legal Documents That Support SAR Compliance

A few well‑chosen documents make SARs faster and safer to handle:

• Privacy Policy that accurately sets out what you collect, why and for how long, plus how people can exercise their rights.
• Data Processing Agreement with each processor to ensure they assist with SARs and maintain appropriate security.
• Data Sharing Agreement (where applicable) to allocate responsibilities between controllers and set a consistent process for rights requests.
• Internal SAR policy and templates (acknowledgements, ID checks, clarification requests, response letters, redaction standards).
• Records of processing activities and a data map to direct searches quickly.

Subject Access Requests And Your Deletion/Retention Rules

Good retention hygiene reduces SAR workload. Keep personal data only for as long as you genuinely need it, and then delete or anonymise it in line with your policy. If a SAR arrives while deletion is due, pause deletion for the data that falls within scope until you’ve responded - then resume according to your schedule.

If you’re struggling with timeframes, remember that the law expects you to act without undue delay. Where requests become complex, communicate early, explain the reason for an extension, and keep a clear record. Building your approach into your privacy information, contracts and staff training means you’ll be ready when the next request lands.

Key Takeaways

• Subject access request law under UK GDPR and the DPA 2018 gives individuals the right to access their personal data; you usually have one month to respond and must act without undue delay.
• Set up a simple, repeatable SAR process: a single intake point, identity checks, scoped searches, careful review/redaction, and a secure, clear response.
• Apply exemptions narrowly and document your reasoning; where feasible, offer to narrow scope before refusing or charging a fee.
• Strengthen your GDPR backbone with a clear Privacy Policy, robust Data Processing Agreement terms, and a mapped record of systems and retention periods.
• Train staff to recognise SARs (they can arrive via any channel), track deadlines carefully, and respond securely with the required supplementary information.
• Employee SARs often involve email searches, third‑party data and sensitive information - plan redaction workflows and escalation points in advance.

If you’d like tailored help setting up a compliant SAR process, drafting policies and templates, or handling a complex request, our team can help. You can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.