Understanding Subject Access Requests (SARs): A Practical Guide for UK Businesses and Startups

If you run a business or a startup in the UK, it’s more important than ever to know how to handle personal data the right way. One area that can really trip up new entrepreneurs is responding to a Subject Access Request - or SAR for short.

Maybe you’ve already received one of these requests from an employee, customer, or supplier. Perhaps you’re only just hearing about SARs for the first time, and are wondering what all the fuss is about. Either way, don’t stress - once you know your obligations under the UK GDPR, you can build great habits that keep your business compliant and your reputation intact.

In this guide, we’ll break down what SARs actually are, when they apply, and - most importantly - the steps every UK business should take to deal with them effectively. Think of this as your friendly, practical playbook for handling data requests confidently, whether you’re a tiny startup or a growing ecommerce brand.

Curious about your duties, possible pitfalls, and how simple checklists can save you stress down the line? Read on - you’ll find it’s clearer and more manageable than you might think.

What Is a Subject Access Request (SAR)?

A Subject Access Request (SAR) is a formal request made by any individual - such as an employee, customer, or third party - to know what personal data your business holds about them. This right comes from the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. In a nutshell, a SAR lets someone:

• Ask for confirmation that you process their personal data
• Request access to that personal data (usually in a copy)
• Obtain extra details about how and why you’re using their information

Personal data here means any information that can identify someone, whether it’s a name, address, email, CCTV footage, personnel record, or even digital logs.

If you collect, store, or process any personal data - and virtually every business in the UK does - then being able to respond properly to SARs isn’t optional. It’s a fundamental data protection right, and there can be serious consequences for getting it wrong.

Why Do SARs Matter For UK Businesses?

The right to make a SAR is at the heart of privacy law in the UK. Here’s why getting this right is crucial for business owners:

• Legal requirement: You are legally obliged to respond to SARs under UK GDPR. Ignoring or mishandling requests can lead to complaints to the ICO (Information Commissioner’s Office) and potentially hefty fines.
• Trust and transparency: Demonstrating that you take data subjects’ rights seriously helps build trust with your customers, staff, and partners. Responding promptly and fairly to a SAR can prevent disputes from escalating.
• Reputational risk: Mishandling a SAR can quickly spiral into reputational damage - especially if the ICO launches an investigation or a data breach surfaces as part of the process.
• It’s good data hygiene: Well-managed SAR procedures often mean you have better data practices across your business, and less risk of privacy slip-ups generally.

Remember, it’s not just big companies that need to worry. SARs can (and do) hit small businesses and startups. That’s why it’s wise to have a plan and a GDPR compliance toolkit in place right from the start.

Who Can Make a Subject Access Request?

Any living individual whose information your business processes can make a SAR. This includes:

• Current and former employees
• Customers and clients
• Suppliers, contractors, or job applicants
• Website users and online account holders

Crucially, there is no need for the person to cite the UK GDPR or even use the phrase ‘subject access request’. If the intent of their request is clear (“What data do you hold on me?”, “Can I see my HR file?”, etc.) you must treat it as a SAR and respond accordingly.

What Information Does a Business Need To Provide in Response to a SAR?

When you receive a SAR, you’re normally required to provide the requester with:

• A copy of all the personal data you hold about them (including data in emails, files, databases, recordings, etc.)
• The purposes for which you’re processing their data
• The categories of personal data involved
• Any recipients (or categories of recipients) to whom the data has been disclosed
• The retention period for that data (how long you keep it)
• Information on where the data came from (if not collected from the requester directly)
• Their rights to have inaccurate data corrected, to object to processing, or to lodge a complaint with the ICO

Depending on your business, a SAR might cover a few emails or amount to several gigabytes of files. Either way, you must search diligently and release any data within the timescales required.

How Long Do You Have To Respond To a SAR?

You must respond to a SAR without undue delay and at the latest within one calendar month of receiving it. For example, if you get a SAR on 10 April, you have until 10 May to reply.

There are some rare circumstances where you can extend this period by up to two more months (e.g. if the request is particularly complex or numerous), but you must tell the requester within the first month and explain why an extension is needed.

It’s wise to read up on SAR response timescales and put reminders in place so you don’t miss the deadline.

What Are the Steps For Responding to a SAR?

So what should you do if you get a SAR? Here’s a simple roadmap:

1. Confirm the identity of the requester:
   If the SAR comes from an unfamiliar source, politely request further proof of ID. This helps prevent accidental disclosure of data to the wrong person.
2. Clarify the scope (if needed):
   If the request is vague (e.g. “Send me all data you have on me”), you can ask for clarification about which data types, timeframes, or systems they’re most interested in. But don’t use this as a delay tactic.
3. Locate all relevant data:
   Search all systems, devices, archives, and files - including emails, HR files, CCTV, cloud drives, and printed records. Remember: the ICO expects you to make reasonable efforts to find it all.
4. Check if any exemptions apply:
   In some cases, you can withhold specific data (for example, if it would reveal another person’s identity, confidential business information, or hurt an ongoing investigation). Read more on lawful grounds for refusing or redacting data.
5. Prepare the response:
   Compile the data, redact where needed, and write a cover note explaining the information you’re providing, the legal basis, and outlining data subject rights.
6. Send your response securely:
   Use appropriate encryption or secure delivery methods, especially for sensitive information. Always keep a detailed record of what you provided and when.

If the information contains references to other people, confidential business details, or legal privilege, make sure you remove or redact this content before sending your reply.

Are There Any Fees For Handling SARs?

Most SARs must be handled free of charge. There are only two situations where you can charge a “reasonable fee”:

• If the request is “manifestly unfounded or excessive” - for example, if someone asks for hundreds of gigabytes of data for no clear reason
• If someone asks for further copies of the same information (the first copy must always be free)

If you do plan to charge, you must be able to justify the costs involved (such as admin time, postage, or media expenses).

Key Legal Obligations: The UK GDPR and Data Protection Act 2018

Your duties around SARs mostly stem from:

• UK GDPR: Sets out the right of access (Article 15) and detailed compliance requirements, including timescales, scope, and exemptions.
• Data Protection Act 2018: UK-specific rules and clarifications. For instance, exemptions - such as not disclosing data that would harm a criminal investigation or reveal another person’s identity - are outlined here.

These laws also require businesses to maintain transparency, keep accurate records, and be able to demonstrate compliance to the ICO if challenged. Having proper privacy policies, records of processing activities, and response procedures in place is now essential, not optional.

Still unsure what the differences are between a data controller and data processor, or when to apply which rules? Check out our guide on understanding your GDPR role.

What Happens If You Mishandle a SAR?

Mishandling SARs can expose your business to real risks, such as:

• Complaints to the ICO: If a requester is unhappy with your response (or lack of one), they can complain to the Information Commissioner’s Office, which may then investigate your data practices.
• Regulatory action and fines: The ICO has the power to order you to comply, issue warnings, or - in serious cases - levy substantial fines for repeat or serious breaches of the law.
• Compensation claims: Data subjects may sue your business for damages if they suffer harm as a result of a data breach or failure to comply.
• Reputational damage: Negative publicity arising from privacy complaints can be damaging, especially for consumer-facing brands or those who promote themselves as trustworthy.

Ultimately, it’s much safer (and cheaper) to get your SAR response process right from the beginning. It’s worth putting an effective GDPR compliance policy in place and regularly reviewing your data protection practices.

Best Practices for Managing SARs With Ease

If all this sounds daunting, you’re not alone - but it’s perfectly manageable with the right habit and a bit of legal support. Here are some best practices for handling SARs calmly and compliantly:

• Designate responsibility: Assign a data protection lead (often the owner or a senior team member in small businesses) to oversee and respond to SARs.
• Maintain clear records: Keep documented logs of every SAR received, your response, and the dates at each stage (receipt, clarification, fulfillment).
• Have a written process: A SAR procedure should outline step-by-step what to do - templates help, but tailor them to your actual business needs.
• Regular training: Make sure team members who handle personal data know what SARs are and what to do if approached by a data subject.
• Be proactive about data hygiene: Only keep personal data as long as necessary and make sure it’s organised (see our guide on setting sensible retention periods).
• Seek legal advice for tricky cases: If you receive a large or complex SAR, or if an exemption might apply, don’t hesitate to speak to a data privacy lawyer to avoid making costly mistakes.

A little preparation now can save you from stressful, expensive headaches later.

What About Special Cases - Employees and CCTV?

SARs are especially common from employees (current and former), or from individuals requesting CCTV footage. The same one-month response time and disclosure rules generally apply, but there are unique risks, like:

• Personnel records often include mixed data (references to other staff, confidential business info) - you’ll need to review carefully for redactions.
• CCTV footage can be personal data - if you can identify a person, you must supply a copy or a transcript of the footage, balancing privacy rights of others in the visuals.
• Employment disputes often involve SARs as a “discovery” tactic. Apply exemptions thoughtfully (e.g. for legal privilege or ongoing investigations) and seek legal advice if unsure.

If this is a key concern for your business, our team can help you put strong practices in place so you’re never caught unprepared. For detailed guidance, see our article on employee privacy notices.

Key Takeaways

• Every UK business or startup must be able to respond to SARs under the UK GDPR and Data Protection Act 2018.
• A SAR gives individuals the right to know what personal data you hold on them, why you hold it, and to get a copy within one month.
• Ignoring or mishandling SARs can lead to ICO complaints, fines, and reputational damage, even for small businesses.
• Have a clear SAR procedure, keep good records, and train staff to spot and respond to requests promptly.
• Seek professional advice in tricky or sensitive SAR cases to ensure you comply with privacy laws and avoid accidental breaches.
• Managing SARs well is part of building overall data protection compliance, which boosts trust and helps your business grow safely.

---

If you’d like tailored help with SARs, data protection law, or any business legal documents, you can reach us at team@sprintlaw.co.uk or call 08081347754 for a free, no-obligations chat. We’re here to help you protect your business from day one.