Understanding Subject Access Requests: UK Employers’ Legal Obligations For Employee Data

If you run a business with employees in the UK, you’re likely collecting and storing a lot of personal data-everything from payroll details and employment records to emails and performance notes. So it’s not surprising that at some point, an employee might submit a subject access request (SAR), asking to see what personal data you hold about them.

If the thought of responding to a subject access request makes you a bit nervous, you’re not alone. Many business owners and managers worry about what they need to provide, how quickly they must respond, and what happens if they get it wrong.

Don’t worry-handling subject access requests doesn’t have to be overwhelming. With the right knowledge and systems in place, you can meet your legal obligations, protect your business, and show your team you take their rights seriously. Keep reading as we break down everything UK employers need to know about subject access requests.

What Is A Subject Access Request?

A subject access request (sometimes called a SAR or DSAR-Data Subject Access Request) is a legal right that allows individuals, including employees, to ask organisations for copies of the personal data they hold about them.

This right comes from the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Anyone you employ or have employed (including contractors or agency workers in some cases) can make a subject access request to your business.

Typically, a subject access request covers:

• What personal data you hold about the individual
• How and why you’re using that data
• Who you’ve shared the data with
• How long you’ll keep it
• Information about the individual’s data protection rights

Subject access requests are commonly used when an employee is in a dispute, worried about unfair treatment, or just wants to know what is held about them.

When And How Can An Employee Make A Subject Access Request?

Employees can make a subject access request at any time-there’s no special form or process required. The request can be made verbally or in writing (including by email, a company portal, letter, or even in a meeting).

Here’s what’s important for you as an employer:

• You can’t ask employees to use a particular form or route, although you can offer one for convenience.
• You can’t charge a fee for most subject access requests.
• You must respond within one calendar month from the date the request is received (though you can extend this by up to two months for complex requests).
• The employee doesn’t need to mention “GDPR” or even “subject access request”-as long as it’s clear they want information about their personal data, the clock starts ticking.

What Data Do Employers Need To Provide?

When responding to a subject access request, the rules mean you need to be thorough, but there are also some limits on what has to be disclosed.

You must provide-

• Copies of all personal data you hold about the employee (in emails, documents, databases, HR files, payroll, or anywhere else), unless a valid exemption applies
• Details of how you use the data
• Details about who you share it with, for example, external payroll companies or benefits providers
• Information on data retention, and details about their rights (such as the right to complain to the ICO)

This includes data in emails, messaging apps, meeting notes, spreadsheets-wherever you store personal information relating to that individual in the course of employment.

However, it does not usually include:

• Purely business data not relating to the individual
• Data about other people (except where it’s reasonable and lawful to provide it)
• Drafts or notes not stored in a “filing system” (but be careful-digital folders often count)
• Documents subject to legal professional privilege (e.g. relating to legal disputes or advice)

It’s worth reviewing the SAR exemptions in detail, particularly if the request involves sensitive workplace discussions.

Are There Risks If Employers Ignore Or Mishandle A Subject Access Request?

In short-yes, there are real risks if you don’t respond properly to a subject access request. The UK’s data protection regulator, the Information Commissioner’s Office (ICO), can issue enforcement notices, order you to disclose data, or even fine your business for non-compliance.

But beyond the risk of legal penalties, mishandling SARs can lead to:

• Higher chance of employee disputes or unfair dismissal claims
• Damage to trust and reputation (especially if an employee involves the ICO or posts about it online)
• Wasting time and resources dealing with follow-up complaints or disputes

Handling SARs promptly and professionally shows your staff-and any regulator-that you take their rights seriously. It’s also a great way to future-proof your HR and privacy processes.

Step-By-Step: How Should Employers Respond To A Subject Access Request?

If you receive a subject access request, don’t panic-just follow these steps:

1. Acknowledge the request promptly. Let the employee know you’ve received the request and that you’re processing it as required by law.
2. Verify the identity of the requester. If you’re not sure who is making the request (for instance, if it comes from a personal email address), you can ask for proof of ID before providing data.
3. Clarify what information they are seeking. It’s reasonable to ask an employee to specify the data or time period they’re interested in, but you can’t insist on it-they can still request “all personal data.”
4. Search all systems and records. Make sure you review every place personal data might be stored, including emails, instant messages, file systems, and third-party platforms.
5. Review the data for third-party details. If any personal data about other individuals appears, you’ll usually need to redact (black out) or anonymise it, unless you have permission to share it or it’s reasonable to do so without consent.
6. Apply any valid exemptions. For example, don’t disclose legal advice or data that would reveal confidential company information-seek legal advice if in doubt.
7. Format and provide the data. Information should be in an accessible format, typically electronic (unless requested otherwise).
8. Provide supplementary information. Include details of the types of data held, who you’ve shared it with, how long you’ll keep it, and how to complain if they’re unhappy.
9. Meet the time limit. Respond within one calendar month of receiving the SAR (or the day you receive adequate ID, if you requested it). For complex or multiple requests, you can extend by up to two months, but you must explain why.

If you’re not sure you can meet the deadline or you’re worried about legal risks, get expert legal advice early-delays or mistakes can easily escalate.

What Are An Employer’s Legal Obligations For Employee Data?

Complying with subject access requests is just one part of your overall data privacy obligations as an employer. Under the UK GDPR and the Data Protection Act 2018, you’ll need to be able to:

• Identify and retrieve all personal data you hold on an individual
• Keep accurate, up-to-date employee records
• Protect employee data from unauthorised access or loss
• Provide clear privacy notices to staff explaining how their data is used
• Have systems and procedures for identifying, reviewing, and responding to SARs
• Retain data only as long as necessary (and delete securely when it’s no longer needed)
• Train staff on handling personal data and responding to SARs

If you’re not sure your HR or IT systems allow you to find and review all personal data for a subject access request, now is a good time to look at your processes. Putting the right groundwork in place will make handling SARs much easier-and keep your organisation compliant.

Common Challenges And How To Avoid Mistakes

Responding to a subject access request can raise some practical headaches-especially for busy SME owners juggling lots of responsibilities. Here are a few pitfalls and how to sidestep them:

• Overlooking where data is stored. Remember to check old email accounts, backup drives, shared folders, and any relevant messaging systems.
• Providing too much information. Be careful not to share other employees’ details or confidential business information unless it’s appropriate or required by law.
• Missing deadlines. Put reminders in place as soon as you get a SAR and, if you need more time to respond due to complexity, communicate this clearly in writing.
• Treating SARs as a low priority. Ignoring or delaying a SAR is not only non-compliant, but it can breed distrust with your team and escalate legal risks.
• Not keeping a record of your response. Always keep a log of the SAR, how you responded, what data you provided, decisions you made on redactions, and the timeline.

It’s also wise to have a clear policy in your staff handbook or HR policies setting out how your company handles SARs and manages personal data. This gives your team transparency-and helps you standardise your approach.

What If The Subject Access Request Is About An Ongoing Dispute?

Many subject access requests are made in the context of grievances, disciplinary action, or employment tribunal claims. While you must still comply, you should review carefully:

• Whether any parts of the requested data are privileged (for example, legal advice-these may not need to be disclosed)
• Whether releasing data will unfairly impact other employees (such as meeting notes about discipline-redaction may be necessary)
• If you need to withhold some data or information: clearly document your decision, the reasons, and any advice from your legal expert

If you’re in doubt, seek specialist employment or data protection advice to ensure you’re protecting your business while remaining compliant.

How Can Employers Prepare For Subject Access Requests?

Being prepared is the best way to take the stress out of subject access requests and keep your business protected from day one:

• Audit where and how you store all employee data (digitally and in physical files)
• Regularly review and update your privacy policy and staff handbook
• Train managers and HR team members on identifying and handling SARs
• Set up standard response templates and processes to quickly acknowledge, process, and deliver responses
• Have a system in place to record and document all SARs and your handling of them
• Review and update contracts with any third parties (outsourced HR, payroll, IT services) to ensure they support SAR compliance

Proactive preparation means fewer surprises, less risk, and faster response times when the request lands-helping you avoid common compliance headaches.

Key Takeaways

• All UK employers must respond to subject access requests (SARs) from employees within one month, providing copies of all relevant personal data unless exemptions apply.
• You can't charge a fee or insist employees use a set form for SARs-and delays or non-compliance can lead to fines and reputational harm.
• Review all relevant systems and documents, redact third-party information, and always keep careful records of your handling of each SAR.
• Proper preparation-including robust data management, up-to-date privacy policies, and trained staff-makes SAR compliance much easier.
• If you’re unsure about exemptions, complex requests, or how to respond, getting advice from a legal expert will protect your business long term.

If you need practical guidance or help handling a subject access request in your business, reach out to us for a free, no-obligations chat at 08081347754 or team@sprintlaw.co.uk. Our team is here to help you navigate the complexities of employee data and ensure your business is compliant from day one.