What Is a SAR in the UK?

byAlex Solo30 November 20259 min read

If you collect or hold personal information in your business (and most businesses do), you’ll eventually come across the term “SAR”. Understanding what a SAR is - and how to handle one properly - is essential to staying compliant with UK data protection law and avoiding unnecessary risk.

In this guide, we’ll explain what a SAR is in plain English, when it applies to small businesses and employers, and the practical steps to follow when one lands in your inbox. We’ll also cover deadlines, common exemptions, and ways to reduce SAR risk so you’re protected from day one.

SAR stands for Subject Access Request. Under the UK GDPR and the Data Protection Act 2018, individuals (called “data subjects”) have the right to request a copy of their personal data that your business holds, along with information about how you use it.

In simple terms, when you receive a SAR you’re being asked to confirm whether you process a person’s data and, if so, to provide:

Copies of their personal data (in a commonly used format)
Key information about your processing (the purposes, categories of data, recipients, retention periods, and the person’s rights)
Details of any automated decision-making (including profiling) if relevant

“Personal data” is any information that relates to an identified or identifiable individual - names, emails, device identifiers, HR records, CCTV footage where a person can be identified, support tickets, call recordings and more. The definition is broad, so assume many everyday business records are in scope.

Quick note on acronyms: in financial crime, SAR can also mean Suspicious Activity Report to the NCA. That’s a different process. In this article, we’re talking about Subject Access Requests under data protection law.

Do SARs Apply To Small Businesses And Employers?

Yes. If your business is a “controller” of personal data (most are), you must respond to valid SARs - regardless of your size. Common scenarios include:

Customers asking for copies of account data, email correspondence or purchase history
Employees or ex-employees requesting HR files, notes from performance meetings, or emails mentioning them
Prospects asking for a record of what marketing data you hold

There’s no special exemption for SMEs. However, the law is proportionate - you only need to search in systems where it’s reasonable to expect the data is held, and you can ask for clarification if a request is broad or unclear.

A strong privacy framework makes SARs quicker and less stressful. At minimum, have a clear, up-to-date Privacy Policy that explains what you collect, why, and how long you keep it.

How To Respond To A SAR: Step-By-Step

When a SAR arrives, don’t panic. Put a structured process in motion. Here’s a practical workflow you can adapt for your business.

1) Acknowledge And Log The Request

Record the date received (the clock starts the day after you receive it).
Acknowledge receipt promptly and explain next steps and timelines.
If the request is unclear, ask the requester to narrow scope (e.g. date ranges, specific systems or keywords). This doesn’t stop the clock but helps make the search proportionate.

2) Verify Identity Where Needed

You must ensure you’re disclosing data to the right person. If you’re not sure who’s asking (or the request is sensitive), request proof of identity. Keep ID checks reasonable - only ask for what’s necessary to verify the person.

3) Scope And Search

Map where personal data lives in your business and search those sources proportionately. Typical sources include:

Emails and collaboration tools (including shared mailboxes)
CRM, ticketing and order systems
HR/payroll platforms and manager files
Messaging apps used for business
CCTV or call recordings, if applicable
Cloud storage (folders, docs, spreadsheets)

For large or technical searches, consider using keywords, date ranges and custodians to keep things manageable. If a third-party processor (like your CRM provider) holds the data on your behalf, you may need support from them - which is why having a robust Data Processing Agreement with processors is so important.

4) Review, Redact And Apply Exemptions

Once you’ve gathered the data, review it line by line. You need to protect other people’s privacy and your own confidential information where permitted by law. Common steps include:

Redacting third-party personal data unless you have consent or it’s reasonable to disclose
Withholding legally privileged communications
Removing trade secrets or confidential business information if an exemption applies

We cover the most useful SAR exemptions for businesses later in this article.

5) Prepare The Response Pack

Your response should be clear and complete. Include:

A covering letter explaining what you did, what you’re disclosing, and anything you’ve withheld (and why)
Copies of the personal data in a commonly used electronic format (unless the person asks otherwise)
Required transparency information (purposes of processing, categories, recipients, retention periods, and rights)

Consistency helps: many businesses adopt a standard SAR template pack so responses are accurate and on brand.

6) Send Securely And On Time

Send the response securely (for example, via encrypted email or a secure portal) and make sure you meet the deadline. One month is the default limit, with a limited right to extend for complex or numerous requests. If timing is tight, update the requester and document your reasons - more on SAR deadlines below.

7) Keep An Audit Trail

Keep a record of what you received, how you verified identity, where you searched, what you disclosed, and any exemptions you relied on. Good records will help if the ICO asks questions or the requester challenges your response.

Employee SARs: Extra Practicalities

Employee SARs are common and can be time-consuming. Expect requests for notes of meetings, manager emails, and instant messages. Be methodical:

Search manager inboxes and shared drives for the requested time period
Redact other employees’ personal data where appropriate
Consider whether any data is legally privileged (e.g. advice from a solicitor during a live dispute)

If an employee SAR relates to an ongoing performance or grievance process, keep your employment documentation organised. Clear, separate files and well-drafted policies make these searches far easier.

What Can You Withhold? SAR Exemptions And Redactions

Data protection law balances the right of access with other rights and obligations. You can refuse to provide certain information, or provide it in redacted form, where an exemption applies. Common business-friendly exemptions include:

Third-Party Personal Data: You generally shouldn’t disclose information about someone else without their consent. Redact names and identifiers unless disclosure is reasonable or the third party has agreed.
Legal Professional Privilege: Communications with your solicitors for the purpose of seeking or receiving legal advice (or for litigation) are exempt.
Confidential References: References you give (e.g. for an ex-employee) are typically exempt from disclosure to the subject.
Management Forecasts And Negotiations: Limited data may be withheld if disclosure would prejudice business negotiations or management planning.
Crime And Taxation: Where disclosure would prejudice the prevention or detection of crime or the assessment/collection of tax.
Manifestly Unfounded Or Excessive Requests: You may refuse, or charge a reasonable fee, if a request is plainly vexatious or repetitive. You’ll need to justify this and document your reasoning.

Apply exemptions narrowly and explain them in your response letter. If in doubt, get legal advice before refusing disclosure. Our guide to SAR exemptions sets out the common scenarios and how to handle them.

SAR Timeframes, Fees And Format Rules

Timelines are strict and it’s important to stay on top of them to avoid complaints to the ICO.

How Long Do You Have To Respond?

Default Deadline: One month from the day after you receive the SAR.
Extension: You may extend by up to two further months if the request is complex or you’ve received numerous requests from the individual. You must tell the requester within the first month and explain why you need more time.

Set calendar reminders and track the clock carefully. For a deep dive on calculating dates (including bank holidays and time zone quirks), see our guide to SAR deadlines.

Can You Charge A Fee?

In most cases, no - SARs are free. You can charge a reasonable fee (or refuse) only if a request is manifestly unfounded or excessive, or for additional copies. If you charge a fee, explain your calculation transparently.

What Format Should You Use?

Provide data in a concise, transparent and easily accessible form, using clear and plain language. Electronic formats are fine for most requests. Where feasible, respond via secure channels and avoid sending large, unencrypted attachments containing sensitive data.

What About Special Category Data?

“Special category” personal data (for example, health, biometric or race/ethnicity information) requires extra care. Double-check identity verification and security measures before disclosure and be conservative with redactions where third-party data appears alongside special category data.

How To Reduce SAR Risk: Policies, Training And Contracts

SARs become far simpler if your privacy housekeeping is in order. A few proactive steps go a long way.

Have The Right Policies And Notices

Privacy Policy: Make sure your Privacy Policy covers the required transparency information and matches what you actually do.
Internal Procedures: Create a clear playbook for handling SARs (who logs, searches, reviews and signs off), and keep a standard response pack ready.
Data Retention Schedule: Avoid over-retaining data. Define how long you keep each category of personal data and why, aligning with your legal and business needs. If you need a refresher, revisit typical data retention periods.

Train Your Team

Anyone who might receive a SAR (support agents, HR, managers, even social media teams) should know how to recognise and escalate it. Remember: a valid SAR doesn’t need to mention “UK GDPR” or use legal jargon - a simple “please send me my data” in any channel can be enough. Our step-by-step guide to responding to SAR emails is a useful team resource.

Tidy Up Your Data Landscape

Map Systems: Keep a simple inventory of where personal data lives (by function and system) to speed up searches.
Reduce Shadow IT: Discourage teams from storing work conversations and files in unmanaged tools. The fewer places you need to search, the better.
Use Consistent Channels: If you routinely record decisions and feedback in agreed systems, the search and redaction process becomes much smoother.

Get Your Contracts In Order

If vendors process personal data for you, ensure your Data Processing Agreement lets you call on their help to meet SAR obligations, including timely searches and secure exports. Where you share personal data with another controller (for example, a partner organisation), a clear Data Sharing Agreement can set expectations about SAR cooperation and responsibilities.

Plan For Edge Cases

Some SARs raise tricky issues - for example, requests during live disciplinary matters, cases involving third-party complainants, or demands for extensive call recordings. Establish in advance when you’ll seek legal advice, and keep example wording to handle scope-narrowing and complex redactions. If you need to refuse or limit disclosure, our overview of SAR exemptions will help you assess the options.

Key Takeaways

A SAR (Subject Access Request) is a legal right for individuals to access their personal data - it applies to small businesses and employers, not just big companies.
Have a clear, repeatable process: acknowledge and log, verify identity, search proportionately, review and redact, and respond securely within the one‑month deadline.
Use exemptions carefully: you can withhold third-party data, legal advice, and certain confidential information where the law allows - document your decisions and explain them.
Deadlines are strict: one month is standard, with limited extensions for complex or numerous requests. Set reminders and monitor SAR deadlines closely.
Strong privacy foundations make SARs easier: keep your Privacy Policy accurate, train your team, and maintain sensible retention so you’re not holding more data than you need.
Contracts matter: make sure your vendor Data Processing Agreement and any Data Sharing Agreement support your SAR obligations.
Templates save time: a consistent SAR template and response pack will help you respond accurately and on brand.

If you’d like help setting up a SAR process, assessing exemptions or preparing tailored documents, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.

Alex Solo

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Joint Data Controllers Under UK GDPR: What Businesses Need to Know Buying a Restaurant in the UK: Legal Checklist for Owners GDPR Disclaimers: What UK Businesses Must Include and Where to Use Them What Is A Contractor In The UK? Business Hiring Guide Crowdfunding Pros And Cons: UK Legal Risks And Compliance For Startups Agency Contracts In The UK: Key Terms To Include And Risks To Avoid

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call