Subject Access Requests (SARs): How UK Businesses Should Respond

If you run a small business, you’ll probably handle personal data every day - customer records, supplier contacts, staff files, CCTV, emails, support tickets, and marketing lists.

That’s exactly why you might one day receive a “SAR” (also called a subject access request). When it lands in your inbox, it can feel a bit confronting - especially if it comes from an unhappy customer, a former employee, or someone you’re in a dispute with.

Don’t stress. With the right process, responding to a SAR is manageable - and getting it right can help you avoid regulatory complaints, business disruption, and unnecessary legal risk.

This guide explains what a SAR (subject access request) is, what you have to do as a UK business, and a step-by-step approach to responding confidently.

What Is a SARs Request (Subject Access Request)?

So, what is a SARs request?

A subject access request (SAR) is a request made by an individual asking you to confirm whether you process their personal data and, if you do, to provide them with access to that data (plus some supporting information about how and why you use it).

You’ll also see it written as:

• what is an sar request
• what is a sars request
• what is a subject access request?
• subject access request meaning

In UK law, SARs sit under the UK GDPR and the Data Protection Act 2018. They’re one of the key individual rights in data protection law (the right of access).

What Counts As “Personal Data” For SAR Purposes?

Personal data is information that relates to an identifiable individual. In a small business context, that can include:

• names, addresses, emails, phone numbers
• account details and purchase history
• customer service messages, complaint records, call logs
• photos or video footage (including CCTV) where someone is identifiable
• HR records (performance notes, absence records, disciplinary documents)
• emails and internal messages that mention the individual
• device logs or security logs tied to an identifiable user

Importantly, the person doesn’t need to use the words “subject access request” for it to count. If they ask something like:

• “Please send me all the information you hold about me,” or
• “I want a copy of all emails where you discuss me,”

…that’s likely a SAR, and you should treat it as one.

Why Small Businesses Get SARs (And Why They’re Often High-Risk)

SARs aren’t only for big corporations. In fact, SMEs often feel the impact more because you have fewer people, less time, and less formal documentation.

Common triggers include:

• Employment disputes (for example, after a disciplinary process, performance management, redundancy, or dismissal)
• Customer complaints (especially where refunds, service quality, or alleged poor treatment are involved)
• Commercial disputes (for example, a supplier relationship breaking down)
• Data breach concerns (someone suspects their information has been mishandled)

And while a SAR is a data protection right (not a “disclosure process” like litigation), many people use SARs strategically to understand what evidence a business has about them.

That means your response needs to be both:

• Legally compliant (meeting UK GDPR requirements), and
• Carefully managed (so you don’t accidentally disclose third-party data or legally privileged material).

What Are Your Legal Obligations When You Receive a SAR?

When you receive a SAR, your core legal obligations as a business are:

• to respond without undue delay and within the legal timeframe
• to carry out reasonable searches for the requester’s personal data
• to provide a copy of the requester’s personal data in an appropriate format (and, where the request is made electronically, usually in a commonly used electronic form)
• to provide supporting information (often called “supplementary information”), such as why you process the data and who you share it with
• to ensure you don’t unlawfully disclose other people’s data

How Long Do You Have To Respond?

In most cases, you have one month to respond.

The one-month period typically runs from the date you receive the request. However, if you reasonably need to verify the requester’s identity, or you need clarification to understand what they’re asking for, the clock can effectively start once you have what you reasonably need to proceed.

If the request is complex or you’ve received multiple requests from the same person, you may be able to extend by up to a further two months - but you must tell the requester within the first month and explain why.

If you want a deeper look at timing expectations and extensions, it helps to have internal guidance aligned with SAR response deadlines so your team knows what “good” looks like.

Do You Have To Respond For Free?

Usually, yes - SAR responses are generally free.

You may charge a reasonable fee or refuse to act only in limited situations, such as if the request is “manifestly unfounded or excessive”. This is a high threshold in practice, so get advice before relying on it.

Can You Ask For ID?

Yes - where it’s reasonable and proportionate. You should verify identity if you’re not sure the requester is who they say they are (for example, if the request comes from a new email address or a third party).

Be careful not to over-collect. Asking for a passport scan every time isn’t always necessary - sometimes confirming details you already hold is enough.

Do You Have To Give Them Everything, Including Internal Emails?

You must provide the requester’s personal data, which can include references to them in emails, meeting notes, and internal messages.

But that doesn’t mean you must hand over every document in full. Often, you can extract or redact the relevant personal data, especially where documents contain:

• third-party personal data (eg other employees, customers, witnesses)
• confidential business information that isn’t the requester’s personal data
• information covered by specific exemptions (where they apply), such as legal professional privilege

There are also circumstances where you can lawfully withhold content, and it’s worth understanding what you can withhold before you start exporting inboxes and sharing documents.

How Should UK Businesses Respond to a SAR? (A Step-by-Step Process)

The best way to handle SARs is to have a consistent workflow. Here’s a practical approach you can build into your operations.

1) Recognise The SAR And Log It Immediately

First, treat it as a compliance task, not an informal request.

Create a simple SAR log with:

• date received
• who received it (name / department)
• requester name and contact details
• deadline (one month)
• notes on identity verification and clarification
• where you searched and what you provided

Having a standard Access Request Form can help you capture key information consistently, especially if multiple team members might receive requests.

2) Confirm Identity (If Needed) And Clarify Scope

If the request is broad (“all data you hold on me”), you can ask them to clarify what they’re most interested in - but you still need to do reasonable searches.

Clarifying scope can reduce time, cost, and the chance of accidental over-disclosure.

Example clarification questions:

• Which time period are you referring to?
• Are you asking about your customer account only, or also marketing records?
• Do you want CCTV footage from a specific date/time?

3) Work Out Where The Data Lives (And Who Needs To Help)

In a small business, personal data often sits across multiple tools and people. Typical sources include:

• email accounts (including shared inboxes)
• CRM systems and ecommerce platforms
• finance software (invoices, refunds, payment notes)
• customer support systems
• HR files (if the requester is staff or ex-staff)
• CCTV systems, access logs, door entry systems
• company devices (laptops/phones) and collaboration tools

This is where good internal policies matter. For example, a well-drafted Acceptable Use Policy can reduce “data sprawl” by setting clear rules about where staff should (and shouldn’t) store business communications.

4) Run Searches And Collect Information Carefully

Do reasonable searches using consistent keywords (name, email, customer number, phone number, employee ID, etc.).

As you collect information:

• keep a record of what you searched (systems, date range, keywords)
• avoid editing original files; work from copies
• segregate data into “likely disclose”, “needs redaction”, and “potentially exempt”

If the requester is (or was) part of your workforce, it’s especially important to follow a structured approach. Many businesses use a dedicated playbook for employee SARs because HR data tends to involve third parties and sensitive context.

5) Redact Third-Party Data And Apply Exemptions Properly

This is where SAR responses often go wrong.

If a document includes another person’s personal data, you generally need to:

• redact it, or
• seek consent from the other individual (which isn’t always practical), or
• consider whether it’s reasonable to disclose without consent (this depends on the circumstances)

Be particularly cautious with:

• witness statements
• customer complaints that identify staff members
• HR investigations and disciplinary meeting notes
• email chains with multiple people

If you’re unsure, get advice before you disclose. A “quick” SAR response that breaches someone else’s privacy can create a bigger problem than the SAR itself.

6) Prepare Your Response Pack (Data + Required Context)

Your SAR response usually has two parts:

• (A) The personal data (copies or extracts)
• (B) Supplementary information, which often includes:
  • why you process their data
  • categories of personal data
  • who you share it with (or categories of recipients)
  • how long you keep it (retention)
  • their rights (rectification, erasure, complaint to the ICO)
  • where the data came from (if not collected directly from them)

Your retention position should be consistent with how your business actually operates. If you haven’t reviewed this in a while, it’s worth aligning your approach with data retention periods so you’re not keeping data longer than necessary (or deleting it too early when you have a legal reason to retain it).

7) Send Securely And Keep An Audit Trail

Don’t email sensitive files as unprotected attachments if you can avoid it.

Instead, consider:

• encrypted files with passwords shared separately
• secure portals or file transfer links with expiry dates
• limiting access internally to only those who need to work on the SAR

Also keep a copy of:

• the final disclosure pack
• redaction decisions
• any exemption reasoning
• communications with the requester

If the SAR is linked to a wider privacy issue, it’s smart to make sure your incident process is also sound - a Data Breach Response Plan is often useful here, even if you ultimately conclude there was no breach.

Common SAR Mistakes Businesses Make (And How To Avoid Them)

Even well-intentioned businesses can slip up with SARs, usually because they’re time-poor and trying to move quickly.

1) Missing The Deadline

Failing to respond within one month is one of the fastest ways to trigger complaints.

Fix: log the SAR immediately, set internal deadlines (eg day 7 for scoping, day 14 for searches, day 21 for redaction, day 28 for review).

2) Treating It Like A Standard Customer Service Request

A SAR is a legal compliance request, not just an admin task.

Fix: assign responsibility (even if you don’t have a DPO) and ensure someone with decision-making authority reviews the final pack.

3) Disclosing Third-Party Data By Accident

This is a big risk in email chains and HR documents.

Fix: implement a redaction workflow and have a second person do a final sense-check before anything is sent out.

4) Over-Collecting Identity Documents

If you ask for excessive ID, it can delay response time and create more sensitive data for you to store securely.

Fix: ask only for what you need, and delete it when it’s no longer required.

5) Not Having Clear GDPR Foundations

SARs often expose gaps: unclear retention rules, no record of processing, messy inbox practices, or inconsistent privacy notices.

Fix: build SAR readiness into your broader compliance. Many SMEs find it easier to stay on top of SARs when they’ve already put a solid GDPR Package in place (policies, notices, and practical business processes that match how you operate).

Key Takeaways

• A SAR is a legal request for access to personal data under the UK GDPR and the Data Protection Act 2018 - and it can be made by customers, staff, or anyone whose data you hold.
• If you’re wondering what is a SARs request, it’s essentially a request for copies of the requester’s personal data plus context about how and why you process it.
• You generally have one month to respond (with limited rights to extend in complex cases) and responses are usually free.
• Responding properly means doing reasonable searches, providing the requester’s personal data, and taking care not to disclose third-party information.
• A consistent step-by-step SAR process (log, scope, search, redact, review, send securely) will save you time and reduce compliance risk.
• Getting your wider data protection foundations right (policies, retention, and secure handling) makes SAR responses faster and far less stressful.

If you’d like help handling a SAR or putting the right GDPR processes in place for your business, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.