What Is a Subject Access Request (SAR) in the UK?

If you collect any personal data about customers, employees or suppliers, you’ll eventually face a question from someone asking “what data do you hold on me?” Under UK data protection law, that’s a Subject Access Request - often shortened to “SAR”.

Handled the right way, SARs don’t need to be stressful. In fact, they’re a useful prompt to check your data practices are working. In this guide, we’ll explain what a subject access request is, what’s included, your response deadlines and exemptions, and a step-by-step process you can use in your small business.

What Is a Subject Access Request Under UK GDPR?

A Subject Access Request (SAR) is a request from an individual (a “data subject”) to access their personal data that your business processes. The right of access comes from Article 15 of the UK General Data Protection Regulation (UK GDPR), supplemented by the Data Protection Act 2018.

In plain English: if your business holds information that can identify a person (names, emails, purchase history, CCTV images, HR files, device IDs tied to a person, and more), that person can ask you for a copy and certain details about what you’re doing with it.

The request doesn’t need any special legal wording. If someone emails you saying “please send me the data you have about me” or “what do you store about me?”, that’s likely a valid SAR. They can also ask via social media, webchat or even verbally - as long as you can verify their identity and understand what they’re asking for.

As a controller, you’re responsible for handling SARs fairly, transparently and within the legal timescales. If you use third-party vendors to process data (for example, CRM, payroll, or email marketing tools), make sure your contracts let you get the data you need quickly. This is where a clear Data Processing Agreement with your processors is essential.

What Is Included In A Subject Access Request?

When someone makes a SAR, you need to provide both a copy of their personal data and certain explanatory information. That typically includes:

• The categories of personal data you process (e.g. contact details, payment info, order history).
• The purposes you use it for (e.g. fulfilling orders, delivering services, marketing with consent).
• The lawful basis for processing (e.g. contract, consent, legitimate interests, legal obligation).
• Who you share it with (e.g. couriers, cloud providers) and any international transfers.
• How long you keep it, or the criteria you use to decide retention periods.
• Their rights (rectification, erasure, restriction, objection, data portability) and the right to complain to the ICO.
• The source of the data if you didn’t collect it directly from them.

For the copy of the data itself, include the personal information you hold in your systems and files, for example:

• Account and profile information (name, email, phone, addresses).
• Transaction records, invoices, support tickets or complaints.
• Marketing preferences and consent logs.
• Website or app interactions that identify the person (if linked to them).
• HR and payroll records if the requester is an employee or applicant.
• Audio or visual material where they’re identifiable (e.g. CCTV footage).

You don’t need to provide documents that only contain other people’s data, commercially sensitive information that isn’t personal data, or copies of every email thread if those parts don’t contain the requester’s personal data. But be careful: emails often contain names and opinions about identifiable individuals, which can be personal data depending on context.

Having a clear, up-to-date Privacy Policy helps you map what you collect and why, which makes SAR responses faster and less error-prone.

Who Can Make A SAR And When Can You Refuse?

Anyone you process data about can make a SAR - customers, leads, employees, contractors, or people captured on CCTV. They can appoint someone to act on their behalf (for instance, a solicitor), but you must be satisfied the representative is authorised.

There’s no requirement for a formal template, but it’s sensible to offer a simple pathway so you receive the right information first time. Many businesses use a short web form to gather identity details and help the requester narrow the scope. If you’re building that workflow, consider incorporating wording from a practical subject access request template so your team knows exactly what to collect and when.

Grounds To Refuse Or Limit Your Response

There are limited situations where you can refuse a SAR (in full or in part), or charge a reasonable fee:

• Manifestly unfounded or excessive requests, including repetitive submissions without meaningful change.
• Where disclosure would adversely affect the rights and freedoms of others (e.g. revealing another person’s data or trade secrets) - in many cases, you should redact rather than refuse.
• Where a specific exemption applies under the Data Protection Act 2018 (for example, certain management forecasting, negotiations, legal privilege, or crime prevention) - these are narrow and need careful assessment.

If you’re considering refusal, it’s wise to take advice. The ICO expects you to justify refusals and explain your reasoning to the requester. To understand the main carve-outs and pitfalls, review common SAR exemptions before you decide.

How Long Do You Have To Respond?

You must respond without undue delay and within one month of receiving the request. The clock usually starts when you have enough information to locate the data and have verified the requester’s identity.

You can extend the deadline by a further two months if the request is complex or if you’ve received numerous requests from the individual. If you do extend, you must tell the requester within the first month and explain why an extension is needed.

Timeframes can be tricky to calculate, especially when requests arrive over public holidays, are paused for ID checks, or come in multiple parts. A short guide to SAR response deadlines can help you set internal timelines and avoid missing key dates.

Missed or inadequate responses can lead to complaints to the Information Commissioner’s Office (ICO), enforcement action, and reputational harm. Building a repeatable process is the best way to stay on top of deadlines.

Step-By-Step: How To Handle A SAR In Your Business

Here’s a practical workflow your team can follow. Adapt it to match your systems and the kinds of data you hold.

1) Acknowledge And Verify

• Confirm receipt promptly and set expectations about timing.
• Verify identity. Ask for reasonable ID if needed, especially where you hold sensitive data or can’t otherwise prove it’s the right person.
• If the request is broad or ambiguous, invite the requester to narrow the scope (e.g. date ranges, systems or topics).

2) Log The Request

• Record the date received and the due date (one month from the valid request date).
• Assign an owner and create a checklist so nothing is missed.
• Keep a record of all communications related to the SAR - you may need to show your working to the ICO.

3) Locate The Data

• Search your core systems: CRM, ecommerce platform, helpdesk, HR/payroll, email, cloud storage, CCTV, and any bespoke apps.
• Ask third-party processors for exports where you don’t have direct access. Your Data Processing Agreement should require timely assistance with data subject rights.
• Limit the scope to personal data about the requester. Avoid disclosing other people’s data; redact where possible.

4) Review And Redact

• Remove or black out personal data about others where you can’t obtain consent or it would be unreasonable to disclose.
• Check for legally privileged material and other applicable exemptions. If in doubt, document your rationale for any redactions.
• Ensure the data you’re releasing is accurate and corresponds to the requester.

5) Compile The Response Pack

• Include the copy of personal data in a commonly used electronic format unless the requester asks otherwise.
• Attach the required transparency information (purposes, recipients, retention, rights, etc.). Your Privacy Policy is a helpful source, but tailor it to this request.
• Explain any redactions or exemptions you’ve relied on, and any extension or fee decision.

6) Send Securely And Close The Loop

• Deliver via a secure channel (encrypted link or password-protected file). Confirm safe receipt.
• Remind the requester of their rights to ask for corrections or raise concerns with the ICO.
• Update your log and note any improvements to apply next time.

If you expect SARs frequently (for instance, workplaces with CCTV or high employee turnover), consider a simple internal playbook and training. A short, practical checklist - paired with a clear Data Sharing Agreement for any routine third-party sharing - will help your team respond consistently.

Prevent SAR Headaches: Policies, Contracts And Good Data Hygiene

The easiest SAR to handle is the one you’re already prepared for. A few proactive steps will reduce effort and risk when a request lands.

Map Your Data Early

Know what you collect, where it lives, and who you share it with. A short data map (systems, data types, recipients, retention) guides your searches and helps you spot over-collection.

Keep Retention Realistic

Holding data for longer than you need increases the volume you must review and disclose. Set appropriate retention periods and purge old data. If you’re unsure what you can remove and when, read up on GDPR data deletion under UK law.

Tidy Your Transparency

Your website and onboarding materials should clearly explain how you use data and people’s rights, in plain English. A tailored Privacy Policy and cookie disclosures make this easy - and they double as a reference point for your SAR letters.

Lock In Your Vendors

If a processor can’t extract the data you need quickly, your deadlines are at risk. Make sure your Data Processing Agreement obliges processors to help with access requests and deletion, within specific timeframes and at no extra cost for routine requests.

Build A Simple SAR Workflow

Create a consistent route for requests (email address or form), a triage checklist and a standard response pack. Using a well-structured SAR template keeps your language accurate and your obligations front-of-mind for staff.

Know The Edges: Deadlines And Exemptions

Most SARs are straightforward - respond within a month and redact third-party data. But complex cases arise: large email searches, CCTV footage across multiple dates, or mixed files that include other people’s data. Bookmark guidance on SAR deadlines and common exemptions so your team can spot when to pause and seek advice.

Bundle Your Compliance

For growing teams, it can be simpler to establish a full set of privacy documents and workflows at once - privacy notices, internal policy, processor contracts and response templates. A practical, business-friendly GDPR Package can get you protected from day one and save hours when a SAR arrives.

Key Takeaways

• A Subject Access Request lets people ask for a copy of their personal data and information about how you use it. Any clear request can count as a SAR.
• Respond within one month (extendable by two months for complex cases). Log the request, verify identity, search, redact and respond securely.
• You can refuse or charge a fee only in limited situations (manifestly unfounded or excessive requests, or where narrow exemptions apply). Document your reasoning.
• A strong foundation - clear Privacy Policy, robust Data Processing Agreement, sensible retention and a simple SAR workflow - makes compliance faster and reduces risk.
• Complex points often involve deadlines and exemptions, so have guidance on timelines and exemptions handy, and get tailored advice when needed.

If you’d like help setting up SAR processes, drafting privacy notices or tightening your vendor contracts, our friendly team can help you put everything in place quickly and affordably. You can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.