What Is a SAR Request? A Guide to Subject Access Requests for UK Businesses

Picture this: you’re working hard to grow your business, and out of the blue, you receive an email from a current or former employee-or maybe even a customer-asking for “all the data you hold about them.” You might feel a rush of uncertainty: do I have to reply? What exactly do I have to provide? Are there rules I need to follow? If this sounds familiar, you’re not alone.

Dealing with a SAR request (Subject Access Request) is now a standard part of running a business in the UK, especially since the introduction of the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. But don’t worry-with the right knowledge and a clear plan, responding to SAR requests can be straightforward and even an opportunity to show your business’s commitment to transparency and compliance.

In this guide, we’ll break down everything UK business owners need to know about SAR requests: what they are, why you might receive one, and-most importantly-how to respond to them properly. Whether you’re new to the concept or want to ensure your business is compliant, keep reading for a practical, actionable approach to subject access requests.

What Is a SAR Request?

Let’s start with the basics. A SAR request is a formal request from an individual (the “data subject”) for copies of the personal data your business holds about them. SAR stands for “Subject Access Request.” These rights are explained under the UK GDPR and the Data Protection Act 2018. The purpose is to give people more control and transparency over how their information is stored and used.

In simple terms: if you collect, hold, or process any personal data about someone (even just an email address or a purchase history), they have the legal right to ask what you’re holding and why. A SAR request can come from:

• Current or former employees
• Customers or clients
• Suppliers, users, or any individual whose data you process

Typically, a SAR request will ask for:

• Access to the actual data-e.g., emails, files, call logs
• Information about why you’re holding the data
• Who else their data has been shared with
• Details of how long you’ll store it

If you process any personal data (and almost every business does), it’s crucial to know your obligations and have a plan in place for handling requests.

Why Are SAR Requests Important For UK Businesses?

SAR requests matter because they’re a legal right for individuals-and a legal duty for businesses. Ignoring a SAR request, providing an incomplete response, or taking too long to reply can lead to complaints, regulatory investigation, and in some cases, GDPR fines from the ICO. More than that, proper handling of SAR requests is a sign your business respects customer privacy and takes compliance seriously.

There has been a sharp increase in the number of subject access requests in recent years, especially as more people become aware of their rights under data privacy laws. These requests can also be the first step in complaints about unfair dismissal, discrimination, or disputes-so it’s wise to treat them promptly and carefully.

Who Can Make a SAR Request?

Any individual-employee, customer, supplier-whose data you process can make a SAR request to your business. This includes:

• Current and former employees
• Job applicants (if you’ve kept their interview records)
• Active, past, or prospective customers
• Subscribers, members, contractors-anyone whose “personal data” is in your files

Individuals can make a SAR request either verbally or in writing (including by email, social media, or even a web contact form). There’s no need for fancy legal wording-they just have to state they want to access their personal data.

What Counts As “Personal Data” for a SAR Request?

“Personal data” is any information that relates to an identifiable living person. Common examples in a business context include:

• Names, postal or email addresses, phone numbers
• HR records, CVs, performance appraisals
• Customer account details, purchase history, payment information
• Emails and correspondence mentioning the person
• Photos, call logs, membership or booking histories

It doesn’t matter if the data is on paper or electronic systems-it all counts. Even data held by third-party services (for example, cloud storage or outsourced payroll systems you use) must be included in your response if you’re the “data controller.”

For more on defining personal data and your responsibilities as a controller or processor, check out Sprintlaw's GDPR controller guide.

How Should You Respond To a SAR Request? Step-By-Step Guide

Let’s walk through how to handle a SAR request professionally and within the law. Here’s a simple action plan you can follow whenever you receive a new subject access request:

1. Identify and Log the Request Promptly

As soon as you receive a SAR request (via email, post, social media, or verbally), note the date and method of receipt. Internally, log the request, who it came from, and brief details of what’s being asked for. There’s no formal paperwork required-but a record is essential for meeting deadlines and audit trails.

2. Verify the Identity of the Requester

Before you share any information, make sure you’re not giving out personal data to the wrong person. If the request comes from a known current employee or customer using registered contact details, this is usually enough. But for more sensitive information or if the request comes from an unknown address, ask for proof of identity (such as a passport scan or utility bill).

3. Understand and Clarify the Scope

SAR requests don’t have to use exact language, and can sometimes be vague (“I want all my information”). If you need clarification to narrow down the search-such as date ranges, specific types of data, or particular systems-it’s okay to go back and ask the requester for more details.

4. Locate and Collate All Relevant Data

Search across all your records-emails, HR files, cloud systems, archives, and physical folders. Don’t forget:

• Backups and old systems
• Data held by third parties (e.g. payroll, CRM providers, outsourced services)
• Metadata or “hidden” data (e.g. comments in documents)

Include ALL personal data relating to the individual, unless an exemption applies (see below).

5. Check for Exemptions or Third-Party Data

Some information may be exempt from disclosure-for example, data that contains confidential references, legal privilege, or “mixed data” relating to other individuals (such as group emails). If so, you may be able to redact that information or withhold it. For detailed scenarios, see SAR exemption guidance.

6. Respond Within One Month (Deadline!)

You must respond to SAR requests “without undue delay and at the latest within one month” from receipt. If a request is complex or there are multiple requests, you can extend this by up to two further months-but you must tell the requester within the first month and explain why more time is needed.

7. Provide the Data and Information Clearly

Your response should include:

• Copies of the personal data itself (securely sent, e.g., via encrypted email or physical post)
• An explanation of what data you hold, why you process it, and your legal basis
• Who you’ve shared it with (such as processors or service providers)
• How long you plan to keep it or your criteria for deciding that
• Information on the individual’s rights (including complaining to the ICO)

Make sure your explanation is in clear, straightforward language. For template wording, see our subject access request response template guide.

8. Keep a Record of How You Handled the Request

Log what you provided, any exemptions applied, and that you responded on time. This could protect you if there’s ever a complaint or ICO investigation.

What Common Mistakes Should Businesses Avoid With SAR Requests?

Some frequent pitfalls we see UK businesses fall into include:

• Missing the deadline or losing track of requests due to lack of internal process
• Failing to properly verify identity before disclosing data
• Accidentally omitting systems, emails, or archives where data is held
• Disclosing data belonging to other people (breaching their privacy)
• Charging unlawful fees (SARs are generally free unless “manifestly unfounded or excessive”)

To avoid these, make sure you have a process that all relevant staff are trained on-and consider a GDPR compliance checklist as part of your business risk management.

What If You Can’t or Shouldn’t Provide Some Information?

There are some situations where you may refuse or limit a SAR request, including:

• “Manifestly unfounded or excessive” requests (e.g., obvious abuse of the process)
• Data that would reveal another person’s information without their consent
• Legal privilege (e.g., correspondence with your lawyer about a dispute)

If you’re relying on an exemption or refusing part (or all) of a request, always:

• Tell the requester as soon as possible
• Explain your reasons clearly
• Let them know they can complain to the ICO

For more, see our guide to SAR exemptions and refusals.

How Can Your Business Prepare For SAR Requests?

Like most small business legal challenges, preparation is key. Here’s what we recommend for all UK businesses (even the smallest startups):

• Map where you store all personal data (digital and paper)
• Have a written SAR response procedure (who handles it, how, and with what deadlines)
• Train staff to recognise SAR requests-they don’t have to use the words “subject access”
• Have suitable systems in place to quickly retrieve and securely share data
• Keep your Privacy Policy and data retention policy up to date-so people know their rights and you know what you’re holding
• Appoint a data protection lead or officer as your business grows, to stay on top of GDPR compliance

If you want a ready-made solution, Sprintlaw offers a GDPR compliance pack that includes privacy policy drafting, data request templates, and staff training resources.

How Does the ICO Handle SAR Complaints?

If a person is unhappy with your response (or lack thereof), they can complain to the Information Commissioner’s Office (ICO), which regulates data rights in the UK. The ICO can:

• Investigate your handling of the SAR
• Order you to comply, make changes, or pay compensation
• Issue fines for serious failures or multiple breaches

Responding carefully and recording your process isn’t just good practice-it’s your defence if the ICO comes calling. For more, see Sprintlaw’s full guide to ICO complaints.

What Practical Tools and Templates Should You Have?

To stay protected, most UK SMEs benefit from having:

• A clear, plain-English Privacy Policy published on your website (see our GDPR Privacy Policy service)
• Written procedures or checklists for handling SAR requests
• Template SAR response letters that tick all the legal boxes
• Clear data retention rules (see: GDPR data retention guide)

The right templates and training mean you can respond efficiently, correctly, and with less stress-all while building trust with staff and customers.

Key Takeaways

• A SAR request is a legal, time-limited right for individuals to access the personal data you hold about them under UK GDPR and the Data Protection Act 2018.
• You must respond within one month, providing all relevant data (unless an exemption applies) and explaining your reasons clearly.
• Having an updated Privacy Policy and a straightforward SAR procedure keeps your business compliant-and builds trust with customers and employees.
• Failing to respond properly can lead to complaints, investigations, and potentially substantial fines from the ICO.
• Avoid common mistakes by keeping records, verifying ID, training staff, and drafting template responses-ideally with professional legal help.
• For complex or sensitive requests, always seek tailored advice from a legal expert who understands your specific business and risk profile.

Still feeling unsure about handling subject access requests or data privacy compliance? Don’t stress-help is at hand. If you’d like guidance on SAR requests, GDPR policies, or general business law, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.