In an era where personal data is a valuable asset, transparency and accountability are key to maintaining public trust. Under UK law, one of the most important rights granted to individuals is the right of access – commonly exercised through a Subject Access Request (SAR).
A subject access request is a request made by an individual to a company or organisation to obtain a copy of the personal data they hold about them under data protection laws like the GDPR.
If your organisation processes personal data, understanding how to handle SARs is not just good practice – it’s a legal requirement. Here’s what you need to know.
Learn how our data protection service can help you stay compliant and safeguard your information
What is a Subject Access Request (SAR)?
A Subject Access Request allows individuals (data subjects) to request a copy of the personal data your organisation holds about them. This is commonly referred to as a subject access request (‘SAR’ or ‘DSAR’).
A subject access request enables the individual to:
- Confirm whether you are processing their personal data.
This means your organisation must confirm that you are processing their personal data, which is any information relating to the requestor that enables them to be identified.
- Access a copy of that data.
If it is possible to identify an individual from the information you’re processing, then that information may be personal data. The right of access enables individuals to obtain their personal data in the form of transcripts of relevant documents (or sections of documents that contain the personal data).
- Understand how and why their data is being used.
This largely corresponds to the information that you should provide in a privacy notice. So, provided you have an up-to-date and appropriate privacy notice, you can deal with this by providing a copy or a link to it.
Who Can Make a Subject Access Request?
Any individual can make a SAR, free of charge, and it does not need to be in a specific format. The request can be made:
- Verbally or in writing
- Through email, social media, or post
- By a third party acting on behalf of the individual (e.g. a solicitor or a parent/guardian)
Importantly, proof of identity may be required to ensure that the request is genuine and that personal data is not disclosed to the wrong person.
Responding to a Subject Access Request
In accordance with data protection laws, organisations must handle these requests in a timely and efficient manner – in most cases within a month. To ensure compliance and maintain trust, it’s important to follow a clear and structured approach. The steps below set out an ideal process for responding to a SAR.
1. Verify the Identity of the Requester
If you have doubts about the requester’s identity, you can ask for additional information (e.g. a copy of ID).
2. Clarify the Scope (if needed)
If the request is broad, ask the individual to clarify what specific data or time period they’re interested in and any specific search terms they would like you to use. However, the individual is not obliged to do this, and should they refuse, you will need to comply with the request regardless.
3. Locate the Data
You should make reasonable efforts to find and retrieve the requested information. This doesn’t mean you need to provide every email an employee has sent or received. Routine emails often contain only basic personal data like the subject’s name, phone number or email address. This information should be disclosed once, and you’re not required to include every occurrence of it across all documents.
4. Review and Redact
Before responding to a SAR, remove or redact any information that relates to other individuals, unless you have their consent to disclose it. You should also consider any applicable exemptions – these are legal grounds that allow certain information to be withheld, such as data protected by legal privilege.
5. Respond Within One Month
You must respond to a subject access request within one calendar month of receiving it. In some cases, if the request is complex or involves numerous records, you can extend the deadline, but you must inform the requester of the extension within the initial one-month period.
6. Provide the Information
Your response should include the personal data found during the search, redacted as necessary, in a commonly used electronic format. It should also include information about how the data is processed – typically by providing a copy of your privacy notice.
What If You Don’t Comply?
Failure to comply with SARs can trigger serious consequences, including investigations by the Information Commissioner’s Office (ICO) and enforcement actions. The UK Labour Party, for instance, was formally reprimanded by the ICO in late 2024 after it failed to respond to 78% of SARs within the required timeframe. In cases such as this, serious reputational damage isn’t far behind.
Responding to a Subject Access Request: Best Practices
To avoid the consequences outlined above, organisations should establish a clear SAR policy and make sure that staff are trained to recognise and respond appropriately.
Providing template responses for acknowledgement, requesting clarification and issuing final responses can help to ensure compliance. It’s also essential to maintain a log of all SAR responses, including dates and outcomes, and to use secure methods of sharing data with requesters. Regularly auditing your processing activities can further support your ability to locate and supply data efficiently.
Looking for a hand? NormCyber can help you put the right processes in place. Check out our Data Protection Service to see how we can support you.
Conclusion
Subject Access Requests: Key Takeaways
Subject Access Requests are a key data subject right under the UK GDPR that organisations need to comply with. By handling these requests correctly, organisations not only comply with the law but also demonstrate a commitment to transparency and accountability. Ensuring your staff understand and respect the rights of individuals will ultimately strengthen trust and resilience in your data protection practices.
If you need support managing SARs or strengthening your data protection practices, get in touch with us today – we’re here to help.
