Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
Get a subject access request (SAR) and your stomach drops? Don’t stress. With a clear playbook, you can respond properly, on time, and with minimal disruption to your day-to-day operations.
In the UK, a subject access request must be responded to in one month. That deadline matters - missing it can invite complaints to the ICO, reputational damage and unnecessary hassle.
Below, we break down the rules in plain English, show you how to calculate deadlines (including extensions), and share a practical workflow you can lift into your business today.
What Is A Subject Access Request (SAR) And When Does It Apply?
A subject access request is when an individual asks you for a copy of their personal data and related information you hold about them. Under the UK GDPR and the Data Protection Act 2018, every organisation that processes personal data must be able to respond to SARs - that includes sole traders, startups and established SMEs.
Personal data is any information that identifies a person (directly or indirectly). Think names, emails, order histories, support tickets, CCTV that shows their face, device identifiers, CRM notes, GPS logs and more. If you can tie it to an identifiable individual, it is likely personal data.
SARs can be made:
- To any channel - email, post, webform, social media DMs or even verbally
- By the individual or someone acting on their behalf (e.g. a solicitor) with authority
- Without special wording - it counts as a SAR if the person is asking for “my data”
As a business, you’ll handle SARs more smoothly if you have a clear, accessible Privacy Policy explaining how people can contact you and what to expect. It also helps to standardise your response documents using a simple SAR template so your team isn’t starting from scratch each time.
The Time Limit: When You Must Respond (And How To Calculate It)
Under the UK GDPR, you must respond “without undue delay and in any event within one month” of receiving a valid SAR.
In practice, that means:
- One month from the date of receipt, counted to the same calendar day in the next month (e.g. received 3 March → deadline 3 April).
- If there’s no equivalent date in the next month (e.g. received 31 January), the deadline is the last day of the next month (e.g. 28 or 29 February).
- If the deadline falls on a weekend or public holiday, it rolls to the next working day.
- You can extend by up to two further months where the request is complex or you’ve received multiple requests from the same individual.
It’s fine to acknowledge quickly, then deliver your full response within the time limit. Just don’t leave it to the final day - you may need time for clarifications, redactions, file exports and sign-off.
Because deadline math can trip people up, many teams keep a simple tracker or follow a DSAR deadlines checklist to keep everyone aligned on dates.
What To Include, How To Deliver And Record Your Response
Your SAR response must include both the personal data itself and certain information about your processing. Aim to cover, in plain language:
- A copy of the personal data you hold about the requester (search across systems, email, chat, CRM, databases, cloud storage, backups where feasible, CCTV, etc.).
- Purposes for processing (e.g. order fulfilment, customer support, marketing).
- Categories of personal data (contact details, purchase history, device IDs, etc.).
- Recipients or categories of recipients you share data with (e.g. payment providers, couriers, cloud vendors).
- Retention periods or how you determine them.
- Individual rights (rectification, erasure, restriction, objection, portability) and the right to complain to the ICO.
- Data sources if not collected from the individual (e.g. third-party lead lists).
- Safeguards for international transfers (if data is sent outside the UK).
Format and delivery tips:
- If the request came electronically, provide the data in a commonly used electronic format unless the individual asks otherwise (e.g. CSV, PDF, ZIP export).
- Use secure delivery: encrypted links, password-protected files and separate password channels. Avoid sending raw data in normal email attachments if possible.
- Redact third-party data where necessary (e.g. other customers’ names in a support thread). If you can’t separate it, consider explaining why and provide as much as you lawfully can.
- Keep a clear audit trail of your searches, decisions, redactions, and what you sent. This helps if the individual queries your response or complains to the ICO.
If you rely on external suppliers to process data (CRMs, helpdesks, SaaS tools), make sure you can obtain exports quickly. Having a robust Data Processing Agreement with your processors helps you set deadlines, assistance obligations and security expectations, so SARs don’t stall at a vendor’s door.
Refusals, Fees And Exemptions To Be Aware Of
Most SARs must be fulfilled free of charge. However, you can refuse or charge a reasonable fee in limited situations:
- Manifestly unfounded requests (e.g. malicious intent, clear lack of any real purpose beyond causing disruption).
- Manifestly excessive requests (e.g. disproportionate scope that can’t be reasonably fulfilled without significant burden). Consider narrowing first.
- Repeated requests for further copies of the same data - you may charge a reasonable administrative fee for additional copies.
Exemptions may also apply to specific data categories - for example, protecting the rights of others, legal professional privilege, confidential management forecasting, or crime and taxation matters. If you rely on an exemption, explain what you can and why certain data isn’t being disclosed. A quick internal check against common SAR exemptions can help you assess the risk early.
Even when you refuse (or partly refuse), you must still respond within the usual timeframe, explain your reasons and inform the individual of their right to complain to the ICO. It’s also wise to keep a polite tone - a firm but friendly explanation can prevent an avoidable escalation.
A Practical Step-By-Step SAR Workflow For Small Businesses
Here’s a simple, repeatable process you can adopt across your business. It’s designed to keep you compliant and cut down on back-and-forth.
1) Log And Acknowledge The Request
- Record the date received, the requester’s details, and the channel (email, webform, etc.).
- Send a quick acknowledgement within a few days, setting expectations about timing and next steps. A short, consistent SAR template saves time.
2) Verify Identity And Clarify Scope (If Needed)
- If you have doubts about identity, ask for reasonable ID. You can pause the clock while you wait for it.
- If the request is very broad, ask the individual to narrow the timeframe, systems or categories. Keep questions reasonable - this is about making the response workable, not creating hurdles.
3) Map Where The Data Lives
- List your core systems: email, CRM, order management, ticketing, shared drives, messaging, cloud storage, CCTV, HR/payroll.
- Loop in department owners early (sales, support, HR). Give them clear search terms and a deadline.
- Ask processors (SaaS providers) for exports where needed - your Data Processing Agreement should require timely assistance.
4) Collect, Review And Redact
- Consolidate results and remove duplicates.
- Redact third-party data you’re not permitted to disclose.
- Flag potential exemptions with your legal team if anything seems sensitive or privileged.
5) Prepare The Accompanying Information
- Confirm your purposes, categories, recipients, retention and rights summary.
- If you transfer data outside the UK, include high-level safeguards (e.g. standard contractual clauses).
- Use clear language - the aim is transparency.
6) Deliver Securely And On Time
- Provide the data in a commonly used format (e.g. CSV/PDF/ZIP) with password protection and a separate password channel.
- Include a covering note summarising what’s included, anything withheld (and why), and how to raise questions.
- Make sure you’re within the one-month limit, or have properly notified an extension for complex requests.
7) File Your Audit Trail
- Store your internal notes, search logs, redaction decisions and copies of what you sent.
- Update your SAR log to show completion, timing and outcomes. Consistent documentation demonstrates accountability if questioned later.
If your team receives SARs by email frequently, standardising responses and triage steps using a simple playbook can save hours. Many businesses start with a lightweight checklist and an email pack based on this SAR email steps approach, then refine as volumes grow.
And to make future SARs easier, tighten your privacy hygiene now - a clear Privacy Policy, a data map, and consistent retention/deletion practices reduce the amount you need to pull each time.
Key Takeaways
- A subject access request must be responded to in one month from receipt. You can extend by up to two further months for complex or multiple requests, but notify the individual within the first month and explain why.
- You can pause the clock while you verify identity or clarify scope. Keep your questions reasonable and proportionate.
- Your response must include both the data and key processing information (purposes, categories, recipients, retention, rights, sources, transfer safeguards). Deliver securely, preferably in a commonly used electronic format.
- Most SARs are free. You may refuse or charge a reasonable fee only if the request is manifestly unfounded or excessive, or for repeat copies. Check relevant exemptions before withholding anything.
- Have a repeatable workflow: log and acknowledge, verify identity, map systems, collect and redact, provide required information, deliver securely and keep an audit trail.
- Prepare before a request arrives: a reliable SAR deadlines guide, a practical SAR template, and solid processor terms via a Data Processing Agreement will make compliance faster and less stressful.
If your business handles a steady stream of customer data, it’s normal to feel daunted by SARs at first. With the right documents and a simple playbook, they become a manageable admin task - and a sign that you take privacy seriously. If you need tailored help with SARs, data mapping or building a privacy toolkit, our team can guide you through it.
If you’d like help with responding to SARs or setting up your privacy compliance, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
