Subject Access Request Templates: Creating One That Passes Muster

Handling personal data requests isn’t just a regulatory box-tick – it’s a core part of building trust with your clients and staff. In a world where data privacy is on everyone’s mind, getting your approach to Subject Access Requests (SARs) right is crucial for any UK business. Whether you’re a startup founder, an SME owner, or responsible for compliance in an established firm, using a robust subject access request template can make responding to SARs a whole lot less daunting. But be careful: a “cookie-cutter” response might miss legal requirements and land you in hot water with the Information Commissioner’s Office (ICO). So, how do you get your template – and your process – right? In this guide, we’ll break down what SARs are, the rules you must follow under the UK GDPR, how templates can help, and practical steps for building an approach that keeps your business compliant and your data subjects satisfied. We’ll also cover common pitfalls and offer expert insight into making SAR templates that really pass muster. Ready to lay strong legal foundations for your business’s data privacy programme? Read on.

What Is A Subject Access Request (SAR)?

A Subject Access Request (SAR) is a formal way for individuals, known as data subjects, to ask an organisation for a copy of the personal data it holds about them. Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, every individual has the right to see what information an organisation is holding about them – and to receive this information within a strict timeframe, usually no more than one month. This right is fundamental to the UK’s privacy framework. It enables individuals to check the accuracy of their data, understand how it’s being used, and challenge any mistakes or misuse.

• Customers might want to know what data you store about their purchases or complaints.
• Employees can request their HR files or performance records.
• Website users may ask about tracking and analytics information.

When a SAR lands in your inbox, your business must act promptly, efficiently, and – crucially – in line with the law. That’s where a solid SAR template can help.

Why Are SAR Templates Important?

Responding to a SAR is not as simple as sending out a pre-written letter or clicking “reply all.” There are strict legal requirements about what – and how – you must communicate. Getting the response wrong could mean reputational damage, fines, and resource-sapping investigations. A good subject access request template helps you:

• Standardise your response process – so your team know exactly what to do, every time a request comes in.
• Ensure legal compliance – so your responses include all required information under the UK GDPR and Data Protection Act 2018.
• Drive efficiency – by capturing key steps and wording, your staff spend less time reinventing the wheel (while still tailoring replies individually).
• Demonstrate accountability – having clear templates and processes is evidence to the ICO (and clients) that you take your obligations seriously.

But beware: templates are only the starting point. Each SAR should be handled on its own facts and context. Copy-paste answers risk missing important details, failing to address specific queries, or even unlawfully disclosing other people’s information.

Who Can Make A Subject Access Request – And How?

Anyone – that’s right, any individual whose data you hold – can submit a subject access request. They don’t have to use any special language or fill in a particular form. Requests can be made in person, by email, postal mail, social media, or even over the phone. So, what counts as a valid SAR? UK law is deliberately broad. If someone asks for "all information you hold about me," that’s enough to trigger your obligation to respond. You cannot reject a SAR simply because it’s not in your preferred format. That said, you can make life easier (for both you and the requester) by offering a template form on your website or in your privacy communications. This helps ensure the right information is captured at the outset, speeding up identification and search for records. Still, you must honour all valid requests, whether they use your template or not.

What Should A Good Subject Access Request Template Include?

If you’re putting together a SAR request template for individuals (or a response template for your business’s replies), you’ll want to cover a few essentials. Here’s what to include:

For SAR Request Templates (For Individuals Making Requests)

• Full name and contact details of the data subject
• Any reference number or account ID (if relevant)
• Description of the information sought (all data, or data for a time period/project type/etc.)
• Preferred method for receiving the data (email, post, in person)
• Proof of identity (so you don’t give data to the wrong person)
• Signature and date

For SAR Response Templates (For Businesses Responding To Requests)

• Acknowledge receipt of the SAR and date received
• Verification of the individual’s identity (if not already completed)
• Explanation of the information you hold and are providing
• Attachments or enclosed documents containing the personal data requested
• Details of any data you haven’t provided (and the legal reasons why – e.g., privacy of others, ongoing investigations, etc.)
• Information about the data source, retention periods, and how to request erasure or rectification
• Guidance on complaining to the ICO if they’re dissatisfied
• Your company’s contact details for further queries

You should also reference your organisation’s Privacy Policy and data protection officer (if you have one) so individuals know their rights and where to get help.

What Does The Law Say? SAR Format And Legal Requirements

UK GDPR and the Data Protection Act 2018 don’t just say “respond promptly” – they’re more specific. Here are some legal must-haves:

• Timeliness: You must respond within one month of receiving the request (with some room for extension if the request is complex, but you must inform the data subject promptly).
• No Unreasonable Barriers: You can’t require a special form or charge a fee (unless the request is “manifestly unfounded or excessive”).
• Identity Verification: You’re entitled to confirm the requester’s identity before releasing personal data, but delays should be kept to a minimum.
• Provide Data In A Structured Format: Data should be supplied in commonly used formats (such as PDF, CSV, etc.), and be clear and understandable.
• Avoid Unlawful Disclosure: Take care not to reveal someone else’s personal data as part of your response. This is a major area where templates fall short if not reviewed on a case-by-case basis.
• Cover All Legal Points: Your response should clarify the reasons for any withheld information, the individual’s rights, and how they can escalate if unsatisfied.

If you need extra clarity on the finer points, the ICO’s own SAR response guidance is a useful resource – but speaking with an experienced data privacy lawyer is wise if you’re unsure, or if the request is particularly complex.

How Can I Tailor My SAR Template For Compliance?

Templates are a great tool for operational efficiency, but SARs are not “one-size-fits-all.” Every request is different. You’ll need to adapt your response according to:

• The identity of the requester (customer, staff, child, parent, third party acting on behalf of someone else, etc.)
• The context (employee file, consumer enquiry, marketing records, CCTV images, etc.)
• The nature and volume of data held
• Any legal exceptions that apply (e.g., legal privilege, references, third party information, ongoing investigations)

It’s easy to see how a copy-paste approach could miss something crucial. For example, you might need to withhold, redact, or summarise part of a record containing details about other individuals. Make sure you review every response carefully, involve your data protection officer (if you have one), and document your reasoning for any information you withhold or modify. If this sounds overwhelming – don’t worry. Legal experts can help you draft, review, and update your templates and your processes so you stay covered.

What Are The Common SAR Template Mistakes?

We see several SAR-related slip-ups that could get your business into trouble:

• Sending generic or incomplete responses (e.g. failing to include data from all relevant departments or systems).
• Using templates that don’t acknowledge the specifics of each case.
• Failing to verify the requester’s identity before releasing data.
• Not explaining redactions or reasons for withholding information.
• Missing key deadlines due to lack of a streamlined, tracked process.
• Neglecting to update templates as laws and guidance evolve.

The solution? Regularly review your template and SAR process – ideally with the support of an expert. Staying up to date is especially important as privacy law in the UK is still developing and guidance changes.

What Tools And Resources Can Help With SARs?

Developing the right SAR template is only one piece of the puzzle. You should also:

• Document a clear policy for receiving, logging, tracking, and responding to SARs (see our Privacy Policy guide for more).
• Train staff on how to recognise and handle SARs – including how to escalate complex cases.
• Set up internal checklists and audit trails to demonstrate compliance.
• Have a strategy for securely transmitting data (via encrypted files, secure email, etc.).
• Consider using automated tools or privacy management platforms if you handle a high volume of requests.

Above all, ensure you regularly review your approach in line with evolving legal obligations set by the ICO and changes within your organisation (e.g. new systems, types of data collected, or business practices). If you want expert support, Sprintlaw offers an affordable legal membership service for unlimited, fixed-fee advice from experienced data privacy lawyers. From reviewing your format, updating templates, to troubleshooting tricky cases, we’re here to support your compliance journey.

Frequently Asked Questions About SAR Templates

Do I Need A Template For SAR Requests?

You aren’t legally required to offer a template for individuals making subject access requests, but it can be extremely helpful. Templates streamline the process, ensure you receive all information needed to verify identity, and reduce errors or back-and-forth.

Can I Insist That Requests Use My SAR Template?

No – you must accept SARs in any format, including email, letter, or even verbally. Templates are for convenience, not to create barriers.

What’s The Best SAR Format To Use?

The best SAR format is clear, concise, and tailored to each situation. For responses, this means using a base template as a starting point but customising every reply to the data and context involved.

What Happens If I Miss The Deadline?

Delays in responding to SARs can lead to complaints to the ICO, reputational damage, and even enforcement action. Always build internal processes to track deadlines and escalate urgent requests.

Can A Lawyer Help With My SAR Template?

Absolutely. While many businesses use off-the-shelf SAR templates, having a lawyer review or draft them ensures your approach is up to date, tailored to your risks, and fully compliant with the latest legal guidance. If you’d like professional help, reach out to the Sprintlaw data privacy team for support.

Is There Anything Else I Should Consider?

Setting up your legal foundations is about more than SARs. You should have company-wide policies for privacy, staff training, contract language with suppliers and third parties (if they process data for you), and up-to-date privacy documents like your Privacy Policy. If you operate an online business, you may also want to check your compliance with cookie and tracking rules (see our Cookie Pop-Ups guide) and ensure your website’s legal requirements are met.

Key Takeaways: Creating A SAR Template That Works

• A subject access request template is a practical tool for compliance, but must always be adapted for each individual request and context.
• Under the UK GDPR, you must respond promptly (within one month), supply all relevant data, and protect other individuals’ privacy.
• Templates help standardise your SAR process, demonstrate accountability, and support legal compliance – but avoid a “one-size-fits-all” approach.
• Always verify identities, document your responses, and provide clear information about withheld or redacted data with legal reasoning.
• Regularly review your SAR templates and procedures to keep up with changing laws and business practices.
• If in doubt, consult an experienced data privacy lawyer to ensure your format and compliance efforts pass muster with the ICO.

If you’d like help reviewing or creating your subject access request templates, or want tailored advice on data privacy compliance for your business, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat. We’re here to help you get your legal foundations right – from day one.