Handle subject access requests (SARs)

What is a SAR and how to recognise one

A SAR does not need to follow any particular format. There is no required form, no specific wording, and no need for the person to mention the legislation. You must treat any of the following as a valid SAR:

• Written requests - email, letter, online form, text message, or social media message
• Verbal requests - phone call, video call, or face-to-face conversation
• Any clear expression of intent - phrases such as "I want to see my data", "What do you have on me?", or "Send me everything you hold about me"

The person does not need to use the words 'subject access request', 'SAR', 'Article 15', or 'UK GDPR'. If their intent to access their personal data is clear, your legal obligations are triggered immediately.

SARs can arrive through unexpected channels - a customer might ask a shop-floor employee, or a former employee might message your company on social media. Failing to recognise a valid SAR is one of the most common compliance failures the ICO investigates. Train every member of staff who interacts with the public to recognise and escalate SARs without delay.

Individual rights under UK GDPR

The right of access is one of eight individual rights under UK GDPR. Understanding where SARs fit within the broader rights framework helps you handle requests correctly and recognise when someone is exercising a different right.

Step-by-step SAR response process

Follow these steps each time you receive a subject access request. The process applies whether the request comes from a customer, employee, or any other individual.

Fees, extensions, and refusals

Fees

SARs are free of charge in almost all cases. You can only charge a reasonable fee (based on administrative costs) if a request is manifestly unfounded or excessive, or if someone requests additional copies of data already provided.

Manifestly unfounded or excessive requests

This is a high bar. A request may be manifestly unfounded if the person clearly has no intention to exercise their rights (for example, making threats unrelated to data access). A request may be excessive if it is repetitive without legitimate reason.

Volume alone does not make a request excessive. The test considers whether the request is reasonable in the circumstances, not the work involved. You bear the burden of proof and must still respond within one month, explaining your decision and informing the individual of their right to complain to the ICO.

Extensions for complex requests

You can extend the deadline by up to two further months (total three months) for genuinely complex requests. You must tell the individual within the first month and explain why. Complexity means significant effort is needed - for example, searching many systems or reviewing large volumes of third-party data. Being busy or under-resourced is not a valid reason.

Employee SARs: special considerations

SARs from employees and former employees are among the most challenging. They typically involve large volumes of data across many systems and raise complex exemption questions.

Why employee SARs are different

• Volume and spread: Employee records span HR files, emails, performance reviews, disciplinary records, payroll, pensions, occupational health, CCTV, access logs, and internal communications
• Third-party data: Workplace documents frequently mention other employees, managers, and customers. You must review every document and redact where necessary
• Confidential references: References you have given in confidence are exempt. References you have received are not
• Management planning: Notes about redundancies, restructuring, or succession planning may be exempt if disclosure would prejudice those plans
• Legal privilege: If a dispute is ongoing or anticipated, communications with your legal advisers are likely privileged
• Workplace disputes: Employee SARs often coincide with grievances or disciplinary processes. Handle the SAR on its merits regardless of context

Practical steps for employee SARs

• Assign to someone with appropriate seniority and access to legal advice
• Search all HR, email, and operational systems thoroughly
• Review every document for third-party data and redact carefully
• Keep SAR response separate from any ongoing dispute resolution
• Maintain detailed records of searches and redaction decisions

Penalties for non-compliance

Failing to respond correctly to SARs is a breach of data subject rights under UK GDPR Articles 12-22. This falls under the higher tier of the UK GDPR penalty regime.

What to do next

• Create an internal SAR procedure: Document who is responsible for handling SARs, how requests should be escalated, and the steps to follow. Make sure every member of staff who may receive a request knows what to do
• Set up a SAR register: Maintain a log of all SARs received, including dates, actions taken, exemptions applied, and response dates. This demonstrates accountability to the ICO
• Train your staff: Ensure anyone who interacts with individuals (customer-facing staff, managers, HR) can recognise a SAR and knows how to escalate it immediately
• Review your data map: Know where personal data is held across your systems so you can search efficiently when a SAR arrives
• Seek legal advice for complex cases: If you receive a SAR connected to a workplace dispute, regulatory investigation, or legal proceedings, take legal advice before responding