Understanding Subject Access Requests Under GDPR: A Guide for UK Businesses

If you’ve ever received a formal request from a customer, employee or supplier asking for “all the data you hold about them”, you’ve encountered a Subject Access Request-or SAR for short. For UK businesses, these requests can seem daunting, especially with all the strict rules set out by the UK GDPR and the Data Protection Act 2018.

But don’t worry - handling subject access requests is manageable once you understand your responsibilities and set up the right processes. Getting this right not only avoids hefty fines, but it also helps build customer trust by showing your business respects people’s data rights.

In this guide, we’ll explain what a subject access request actually is, how it works under UK law, and how your business should prepare to handle them. We’ll break down the steps you need to follow, clarify what’s included, and flag where professional advice can make all the difference. Let’s dive in!

What Is a Subject Access Request?

If you collect and store any personal information about individuals-think staff records, customer databases, or email lists-you’ll need a clear answer to the question: what is a subject access request?

Put simply, a subject access request (SAR) is a request from an individual (called a "data subject") to see the personal data you hold about them. It’s one of the core rights under the General Data Protection Regulation (GDPR) and embedded in the UK’s Data Protection Act 2018.

Key points about SARs:

• “SAR” stands for “Subject Access Request:” This is a legal request for data you hold about an identifiable individual.
• Individuals have the right to: Know what you’re holding, why you’re holding it, how you’re using it, and with whom you share it.
• Your business must respond: UK law obliges you to provide the requested information-usually within one month-unless certain exemptions apply.

The right of access is not new (it’s been around since the days of the Data Protection Act 1998), but under GDPR the rules are stricter, penalties for non-compliance are higher, and most businesses are much more likely to receive SARs as people become more aware of their privacy rights.

For a deep dive into general GDPR compliance, check out our complete GDPR overview for UK businesses.

Why Are Subject Access Requests Important for Businesses?

The main reason for SARs is to give individuals control over their own personal information. From a business perspective, these requests are both a compliance obligation and a reputational risk - mishandling them can lead to:

• Complaints to the ICO (Information Commissioner’s Office)
• Significant fines (up to £17.5 million or 4% of global turnover under UK GDPR)
• Negative publicity and loss of customer trust

On the positive side, complying with SARs helps build transparency and shows your business is serious about data protection. This is essential for any business that handles personal data, no matter your size or sector.

Who Can Make a Subject Access Request?

Anyone you hold personal data about can make a subject access request. That means:

• Your customers and clients
• Current and former employees
• Suppliers, contractors, and business contacts
• Website visitors, if you log identifiable activity

The request does not have to mention the phrase “subject access request” or quote the law. Any clear request from an individual asking to see their personal information qualifies-even if it’s phrased informally by email, letter, or even social media message.

What Is Included in a Subject Access Request?

If you receive a SAR, the individual is entitled to all of the following:

• Confirmation that you are processing their data
• Access to the personal data itself (including copies)
• Other supporting information, such as:
  • The purposes for processing
  • The categories of data held
  • Any recipients or third parties you share it with
  • How long you’ll keep the data
  • Their rights to correction, erasure, restriction or objection
  • Sources of information, if not collected directly from them

This means you can't just print off an email record and call it done. You need to include everything that constitutes "personal data"-meaning any information that can identify the individual, including opinions about them, call notes, or internal performance reviews.

For a checklist of what types of data counts as "personal information," see our guide on protecting customer data.

How Long Do You Have to Respond to a Subject Access Request?

Under UK GDPR, the standard time limit for responding to a SAR is:

• One calendar month from the date you receive the request.

You may extend this by a further two months if the request is complex or numerous, but you must inform the individual within the first month if you are extending the time frame, and explain why.

Delaying or missing this deadline can trigger ICO complaints and possible fines, so it’s crucial to have an efficient process and staff training in place.

What Counts as a Valid Subject Access Request?

You might wonder: what is a valid SAR request? Do you need a special form? Does the individual need to cite GDPR?

Here’s what makes a SAR valid:

• It must be made by the data subject (or an authorised person acting for them, like a parent or solicitor with written permission)
• It can be made in any format-email, letter, web form, or even verbally
• It only needs to clearly ask for information about the sender (their personal data)
• The business must be able to verify the requester’s identity (especially if sensitive information is involved)

If you’re not sure if a message is a real SAR, it’s safer to treat it as one and begin your process-requesting further details if you need to confirm the person’s identity.

Looking for a template? See our advice on creating subject access request templates for your business.

What Information Can Be Withheld From a Subject Access Request?

Not everything has to be disclosed in response to a SAR. Certain exemptions under the Data Protection Act 2018 may apply, such as:

• Personal data about other people (unless you have their consent or can redact details)
• Information likely to cause serious harm to the physical or mental health of any individual if released
• Data protected by legal professional privilege (for example, legal advice emails about a dispute with the requester)
• Data processed for crime prevention, regulatory functions, or for management forecasting in certain circumstances

If you are considering withholding or redacting information, it's best to seek specialist legal advice to avoid mishandling the request-errors here can lead to disputes or compliance action from the ICO.

How Should You Respond to a Subject Access Request?

When a SAR comes in, you need an organised process to investigate and reply. Here’s a step-by-step approach for UK businesses:

1. Confirm Receipt and Verify Identity

• Acknowledge the request as soon as possible (ideally in writing)
• Check you have enough information to identify the requester-if not, ask for more details before proceeding

2. Search and Collate Personal Data

• Look across all locations where you may store data-emails, files, cloud apps, HR software, phones, CCTV, backups
• Compile everything relating to the individual that counts as personal data

3. Apply Redactions and Consider Exemptions

• Identify if other people’s information is included (and redact unless consent is given)
• Check if any exemptions apply (seek legal help if unsure)

4. Prepare and Send Your Response

• Provide a copy of the data (in a format the individual can access, e.g. PDF or Word docs)
• Include all required “supplementary information” about processing and data rights
• Send securely (e.g. password-protected files, delivery to verified address)

For more on exactly what information must be included, review our article on responding to subject access requests.

What Fees Can You Charge for Handling a SAR?

In nearly all cases, a subject access request must be fulfilled for free (under both GDPR and the Data Protection Act 2018).

You can only charge a “reasonable fee” if:

• The request is manifestly unfounded or excessive (e.g. repetitive without reason)
• The individual requests additional copies of the data (the first copy must always be free)

Most businesses will rarely be able to justify charging, so best practice is to prepare to handle requests at your own expense.

How Should You Record and Track Subject Access Requests?

Every UK business should have a system to log and track SARs received. Good record-keeping is crucial if the ICO investigates or if you receive a complaint. Your log should include:

• Date the request was received
• Identity verification status
• Details of information provided (and any withheld, with reasons)
• Deadlines for response
• Copies of correspondence

Learn more about best practices for handling SAR documentation in our article on record-keeping for GDPR compliance.

What Should Be in Your Subject Access Request Policy?

To ensure smooth handling of SARs (and to meet ICO expectations), your business should have a clear policy covering:

• What to do when a request is received
• How to verify data subjects’ identities
• The process for searching for and collating information
• Redaction and exemption handling
• Timescales for response
• Points of escalation (e.g. if a SAR is complex or involves sensitive issues)
• Contact details for your Data Protection Officer (if appointed)

If you don’t have this policy in place yet, now’s the time to create one-being caught off guard can result in non-compliance. To get started, consider engaging a data privacy lawyer to help you tailor a policy to your specific needs.

What Happens If You Get It Wrong?

The consequences for failing to respond to SARs correctly can be serious. The ICO (Information Commissioner’s Office) can:

• Order your business to comply and provide the missing data
• Impose fines or sanctions (potentially significant under GDPR)
• Publish the incident, harming your reputation

There have been several recent cases in which UK organisations have been penalised for:

• Missing the one-month response deadline
• Failing to search all data sources (e.g. leaving out old email accounts or backups)
• Releasing other people’s data by mistake (data breach!)

Making SAR responses a routine part of your privacy compliance can help your business avoid these costly, stressful scenarios. It’s a good idea to do an annual GDPR audit to make sure you’re always ready.

Tips for Making SARs Easier to Manage

No business likes to get caught off guard by a SAR, but by planning ahead you’ll turn it into just another routine task. Here are some practical strategies:

• Centrally store personal data (avoid lots of scattered folders or shadow IT systems)
• Train your team to spot SARs and escalate them to the right person
• Keep your Data Privacy Policy up to date and clear for both internal staff and customers
• Have clear processes for deleting and updating data so that queries don’t become headaches
• Automate where you can (e.g. CRM and HR software often have SAR management tools built in)

And-always make sure your team knows who to contact (internally and externally) if they’re not sure what to do.

Key Takeaways

• A Subject Access Request (SAR) is a formal right for anyone to ask what personal data your business holds about them. You must respond within one month.
• SARs under GDPR apply to all UK businesses and organisations that process personal data-even small startups and microbusinesses.
• Your response must include copies of the data and supporting details about your processing activities.
• Not all data needs to be disclosed-certain legal exemptions apply, but use them with care and always seek advice if unsure.
• Your business must have a clear process for logging, verifying, searching, redacting, and responding to SARs.
• Most SARs are free to the requester-fees apply only if the request is manifestly excessive or repetitive.
• Failure to handle SARs properly can lead to ICO fines and reputational damage-preparing a SAR policy and regular GDPR training will keep you compliant.

If you’d like expert help putting together a SAR policy or want to make sure your privacy processes are up to scratch, Sprintlaw can help. Reach out at 08081347754 or team@sprintlaw.co.uk for a free, no-obligation chat with our team of friendly legal advisors.