Guide
Handle subject access requests (SARs)
How to recognise, process, and respond to subject access requests under UK GDPR. Covers the one-month response deadline, identity verification, searching for data, reviewing exemptions, handling employee SARs, fee rules, and the penalty regime for non-compliance.
A subject access request (SAR) is when someone asks for a copy of the personal data you hold about them. Under UK GDPR Article 15, every individual has the right to access their personal data, and your business must respond within strict legal timeframes.
SARs can come from customers, employees, former staff, suppliers, or anyone whose personal data you process. Getting them wrong can lead to ICO enforcement action and fines of up to 17.5 million GBP or 4% of annual worldwide turnover.
What is a SAR and how to recognise one
A SAR does not need to follow any particular format. There is no required form, no specific wording, and no need for the person to mention the legislation. You must treat any of the following as a valid SAR:
- Written requests - email, letter, online form, text message, or social media message
- Verbal requests - phone call, video call, or face-to-face conversation
- Any clear expression of intent - phrases such as "I want to see my data", "What do you have on me?", or "Send me everything you hold about me"
The person does not need to use the words 'subject access request', 'SAR', 'Article 15', or 'UK GDPR'. If their intent to access their personal data is clear, your legal obligations are triggered immediately.
SARs can arrive through unexpected channels - a customer might ask a shop-floor employee, or a former employee might message your company on social media. Failing to recognise a valid SAR is one of the most common compliance failures the ICO investigates. Train every member of staff who interacts with the public to recognise and escalate SARs without delay.
Individual rights under UK GDPR
The right of access is one of eight individual rights under UK GDPR. Understanding where SARs fit within the broader rights framework helps you handle requests correctly and recognise when someone is exercising a different right.
Step-by-step SAR response process
Follow these steps each time you receive a subject access request. The process applies whether the request comes from a customer, employee, or any other individual.
-
Step 1: Recognise and log the request
Record the date received immediately - this starts your one-month clock. Log the request in your SAR register, noting the channel (email, phone, letter, social media, or verbal), who the requester is, and what they asked for. Assign it to the person responsible for handling SARs in your organisation.
-
Step 2: Verify identity if necessary
You must be confident the request comes from the right person before releasing data. If the request comes from an email or account already on file, this may suffice. For higher-risk data, ask them to confirm details only they would know. For very sensitive data, you may request photo ID, but keep verification proportionate to the risk. The response deadline pauses until you confirm identity.
-
Step 3: Locate and retrieve the data
Search all systems where the individual's personal data may be held: databases, CRM, email (including archives), paper files, backups, CCTV, HR records, finance systems, and any third-party processors. You must make genuine efforts to find all relevant data, but searches should be reasonable and proportionate. Record which systems you searched.
-
Step 4: Review for exemptions and third-party data
Redact personal data about other identifiable individuals unless they have consented or disclosure is reasonable without consent. Check for other exemptions: legal professional privilege, confidential references you gave, management forecasting, crime prevention, or regulatory functions. Apply exemptions to specific information, not whole documents - redact the exempt parts and provide the rest. Document your reasoning for every exemption.
-
Step 5: Compile and provide your response within one month
Your response must include: a copy of their personal data; purposes of processing; categories of data held; recipients; retention periods; their rights to rectification, erasure, restriction, and objection; data source if not collected directly; and any automated decision-making details. Provide in a commonly used electronic format (PDF, CSV) if requested electronically. If the request is complex, you can extend by up to two further months but must inform the individual within the first month explaining why.
Fees, extensions, and refusals
Fees
SARs are free of charge in almost all cases. You can only charge a reasonable fee (based on administrative costs) if a request is manifestly unfounded or excessive, or if someone requests additional copies of data already provided.
Manifestly unfounded or excessive requests
This is a high bar. A request may be manifestly unfounded if the person clearly has no intention to exercise their rights (for example, making threats unrelated to data access). A request may be excessive if it is repetitive without legitimate reason.
Volume alone does not make a request excessive. The test considers whether the request is reasonable in the circumstances, not the work involved. You bear the burden of proof and must still respond within one month, explaining your decision and informing the individual of their right to complain to the ICO.
Extensions for complex requests
You can extend the deadline by up to two further months (total three months) for genuinely complex requests. You must tell the individual within the first month and explain why. Complexity means significant effort is needed - for example, searching many systems or reviewing large volumes of third-party data. Being busy or under-resourced is not a valid reason.
Employee SARs: special considerations
SARs from employees and former employees are among the most challenging. They typically involve large volumes of data across many systems and raise complex exemption questions.
Why employee SARs are different
- Volume and spread: Employee records span HR files, emails, performance reviews, disciplinary records, payroll, pensions, occupational health, CCTV, access logs, and internal communications
- Third-party data: Workplace documents frequently mention other employees, managers, and customers. You must review every document and redact where necessary
- Confidential references: References you have given in confidence are exempt. References you have received are not
- Management planning: Notes about redundancies, restructuring, or succession planning may be exempt if disclosure would prejudice those plans
- Legal privilege: If a dispute is ongoing or anticipated, communications with your legal advisers are likely privileged
- Workplace disputes: Employee SARs often coincide with grievances or disciplinary processes. Handle the SAR on its merits regardless of context
Practical steps for employee SARs
- Assign to someone with appropriate seniority and access to legal advice
- Search all HR, email, and operational systems thoroughly
- Review every document for third-party data and redact carefully
- Keep SAR response separate from any ongoing dispute resolution
- Maintain detailed records of searches and redaction decisions
Penalties for non-compliance
Failing to respond correctly to SARs is a breach of data subject rights under UK GDPR Articles 12-22. This falls under the higher tier of the UK GDPR penalty regime.
- Maximum penalty
- Up to 17.5 million GBP or 4% of annual worldwide turnover, whichever is higher
- Applies to
- Breach of data subject rights including failure to respond to SARs (UK GDPR Articles 12-22)
- Enforcement body
- Information Commissioner's Office (ICO)
Common compliance failures that trigger ICO enforcement:
- Not responding within one month without a valid extension
- Providing incomplete information or missing data from key systems
- Applying exemptions too broadly or without justification
- Failing to recognise a valid SAR because staff were not trained
- Charging a fee when not permitted
- Releasing data to the wrong person (a data breach in itself)
The ICO can investigate complaints, issue enforcement notices, audit your SAR processes, and impose fines for serious or persistent failures.
What to do next
- Create an internal SAR procedure: Document who is responsible for handling SARs, how requests should be escalated, and the steps to follow. Make sure every member of staff who may receive a request knows what to do
- Set up a SAR register: Maintain a log of all SARs received, including dates, actions taken, exemptions applied, and response dates. This demonstrates accountability to the ICO
- Train your staff: Ensure anyone who interacts with individuals (customer-facing staff, managers, HR) can recognise a SAR and knows how to escalate it immediately
- Review your data map: Know where personal data is held across your systems so you can search efficiently when a SAR arrives
- Seek legal advice for complex cases: If you receive a SAR connected to a workplace dispute, regulatory investigation, or legal proceedings, take legal advice before responding