Skip to main content

What Is a Subject Access Request?

11 December 2025
A padlock resting on a laptop keyboard, symbolizing digital security and data protection.

A Subject Access Request (SAR) – also known as a “Data Subject Access Request” – is a formal request made by an individual to an organisation, requesting access to the personal data that organisation holds about them. Under data protection law, including the UK GDPR and Data Protection Act 2018, every individual has the right to know how their information is being used, stored, and shared.

For organisations, understanding SARs is crucial – not only to ensure compliance with data protection legislation, but also to maintain transparency and uphold privacy rights. Mishandling a SAR can lead to reputational damage and regulatory penalties, making it essential for businesses to have clear procedures in place.

This article will explain what a Subject Access Request involves, who in your organisation should respond to them, key timeframes and exemptions, and practical tips for managing SARs efficiently and lawfully. If you need further information, our GDPR compliance experts at Data Driven Legal are here to help. 

Key Takeaways

  • A Subject Access Request allows individuals to ask an organisation for the personal data it holds about them and details of how that data is processed.
  • Organisations generally have one calendar month to respond to a SAR, with the option to extend by up to two months for complex requests.
  • Requesters can expect a copy of their personal data, information on how it’s used, and details of their privacy rights under data protection law.

Contents

Understanding Subject Access Requests

As mentioned earlier, a Subject Access Request is a request from an individual (the data subject) asking an organisation to confirm whether it is processing their personal data and, if so, to provide a copy of that personal data together with key information about how and why it’s processed. A SAR, therefore, can cover both the data itself (e.g. contact details, transaction records) and the processing information that explains what the organisation does with that data (purposes, retention periods, automated decision-making, etc.).

Under the GDPR, data controllers must be able to explain to data subjects how their personal data is handled. Article 15 of the UK GDPR (“Right of access”) sets out the information individuals are entitled to receive. This includes the purposes of processing, the categories of personal data being processed, who the data has been shared with, how long it will be kept, and the data subject’s remedies and rights.

How Can Someone Make a Subject Access Request?

A SAR can be made in many ways – there is no required formality. However, there are several typical channels through which they are submitted, such as:

  • An online form (many organisations provide a dedicated SAR form on their website)
  • A letter or printed form sent by post
  • An email to a designated data protection or privacy inbox
  • Verbally, in person, or by phone – a phone call can be a valid SAR if the individual makes a clear request
  • Social media messages (e.g. a direct message or private message) – these can qualify as a SAR if they clearly request personal data

Who in Your Organisation Should Receive a Subject Access Request?

Since a SAR can arrive anywhere – from customer services via email, to a direct message on social media – the first person who sees it is often a front-line colleague rather than someone in a legal or privacy role. No matter where it lands, it should be escalated immediately to your Data Protection Officer (DPO) or, if you don’t have a DPO, to your nominated privacy lead or senior manager responsible for data protection.

It is important that you train every member of staff to recognise and escalate SARs. Fast escalation can reduce the risk of missed deadlines (as explained later), accidental deletion, or unauthorised disclosure. If a member of front-line staff receives a SAR, we suggest that they take the following steps:

  • Do not attempt to disclose any data
  • Log the request (date received, channel, requester name)
  • Preserve relevant records and stop routine deletion/archiving for related files
  • Immediately escalate to the DPO/privacy lead

How Should Your Organisation Respond to a Subject Access Request?

Once a SAR is escalated, the individual who responds will typically:

  1. Acknowledge the Request: At the earliest possible opportunity, inform the requester that their SAR has been received and that it will be handled as swiftly as possible. 
  2. Verify the Requester’s Identity & Authority: Confirm the person is entitled to the data (or that an authorised representative is acting on their behalf). The statutory deadline runs from the date that the identity/authority has been established.
  3. Clarify the Scope of the Request: Check what data, date ranges, subjects, or departments are being asked about so searches are focused and proportionate.
  4. Coordinate Searches Across Teams: Instruct IT, HR, CRM, finance, facilities, social media, and any other relevant teams to locate and preserve data and share it for review.
  5. Advise on Exemptions & Redactions: Identify in the document set any third-party data, legal professional privilege, or other exemptions that may justify redaction or refusal of parts of the request.
  6. Ensure Responses Are Well-Documented & Meet Deadlines: Keep an audit trail of decisions, searches, communications, and final disclosures so you can demonstrate compliance.
  7. Act as the Point of Contact for the Supervisory Authority: If there’s a dispute, complaint or required reporting, the responder will liaise with the regulator and the data subject.

There are no strict rules governing the format you must use when disclosing information in response to a SAR. However, it is generally expected that if, for example, the request arrives by email, your reply should be sent by email.

Can You Ask for ID?

Yes – it’s legitimate and often necessary to request evidence of identity (or authority for an authorised representative) before releasing personal data. Ask only for what’s reasonable and proportionate (for example, a copy of a photo ID and proof of address). 

How Long Do You Have to Respond to a Subject Access Request?

Organisations must respond to a Subject Access Request (SAR) within one calendar month of receipt. That one-month period starts on the day you receive the request (even if that day is a weekend or bank holiday) and ends on the corresponding calendar date in the next month. If this date falls on a weekend or public holiday, you have until the next working day.

You can extend the deadline by up to two further calendar months (three months in total) only where the request is particularly complex, or where an individual has made multiple related requests. If you plan to extend, you must tell the requester within one month of receipt and explain why the extension is necessary.

“Stop the Clock” – Identity, Clarification, & the Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 (DUAA) explicitly incorporates a “stop the clock” mechanism: you may pause the SAR deadline while you wait for necessary information from the requester (for example, ID to verify identity or reasonable clarification about the scope of the request). The statutory clock then resumes when you have received the information requested. 

The Data (Use and Access) Act codified the approach in the ICO’s public guidance; if you ask for ID, the one-month period normally only begins when the organisation has the requested ID; and where the request is unclear, you may pause the clock while you wait for clarification.

Can Your Organisation Refuse a Subject Access Request?

Subject Access Requests can be refused, but only in specific circumstances. You must comply with the request unless an exemption applies, or the request is manifestly unfounded or manifestly excessive. It is important to note that these are high thresholds; refusals should be rare, carefully justified, and fully documented. 

  • “Manifestly Unfounded”: The request appears to have no genuine purpose; for example, it’s clearly malicious, made to harass the organisation, or there’s evidence that the requester doesn’t actually intend to exercise their access right.
  • “Manifestly Excessive”: The request is clearly disproportionate, e.g. repetitive requests without a reasonable interval or where a request overlaps with previous requests, it may be excessive. 

If you regard a request as unfounded or excessive, you can:

  • Refuse it outright, or
  • Offer to comply with a narrowed scope, documenting both the suggestion and the requester’s response.

What Should You Do if the SAR Involves Information About Other Individuals?

When a SAR touches on data that relates to other people, start by asking whether you can comply without revealing anything that would identify a third party. The ICO’s guidance is clear: where possible, you should remove or redact identifying details so you can still provide as much of the requester’s information as possible. 

If Redaction Is Possible

In many cases, the practical solution is to edit documents (names, contact details, unique identifiers) so they no longer identify the other person while preserving the substance of the data you are obliged to disclose. The ICO explicitly recognises redaction as an option where third-party information can be removed without frustrating the requester’s right of access.

If Redaction Isn't Possible

If it’s impossible to remove third-party identifiers and disclosure would identify someone else, you must consider:

  • Consent: Has the third party permitted to disclosure of their data? If yes, disclosure is generally allowed.
  • Reasonableness: If you can’t get consent, is it nevertheless reasonable to disclose the information? The ICO states that you must weigh factors such as the type of information, any duty of confidentiality owed to the third party, whether you tried to gain consent, whether the third party can consent, and any explicit refusal of consent. Use these factors to document a balanced decision.

What Must Be Done in Both Circumstances

Whatever you decide, you must reply to the requester. 

  • If you disclose third-party information, provide it securely and in the usual format. 
  • If you withhold or redact information, explain what you have withheld (or redacted), cite the legal basis (for example, the relevant exemption), and record the reasons for your decision. 

You must keep a full audit trail of searches performed, redactions made, attempts to obtain consent, and the justification for any withholding.

Can the Right of Access Be Enforced if You Are Non-Compliant?

If you are non-compliant, the right of access can be enforced. If an organisation fails to comply with a SAR, then the requester has two main routes:

Filing a Complaint With the ICO

Most requesters start by complaining to the ICO, which will normally investigate the complaint, contact the organisation for information, and attempt to resolve the matter. 

Where the ICO finds non-compliance, it can require the organisation to take steps to put things right, for example, by ordering disclosure or corrective action, and it can use a range of regulatory powers if necessary.

Court Action

The requester may also apply to the courts for a mandatory order requiring the organisation to comply with the SAR and/or seek compensation for any damage or distress caused by the non-compliance.

Creating a Data Retention Policy

A data retention policy sets out how long your organisation keeps different categories of personal data, why those retention periods are justified, and what happens to the data afterwards. A clear, sensible policy helps you stay compliant with data-protection principles, reduces legal risk, and makes operational tasks – including responding to SAR – quicker and more defensible.

Every organisation that processes personal data should have a retention policy – regardless of size or sector. Small businesses, charities, schools, recruiters, HR teams, finance departments, marketing teams, and public authorities all benefit from a documented approach. If you handle personal data at all, a retention policy is essential.

How a Data Retention Policy Helps With SARs

  • Lower Cost & Risk: Less data retained reduces the time and effort to review and redact material, and reduces breach/exposure risk.
  • Reduces Search Scope: Knowing what you routinely delete means fewer systems to search when a SAR arrives.
  • Easily Defensible Positions: If a requester asks for data that you lawfully no longer hold, you can evidence that you deleted it in line with a published policy and legal justification.

Common SAR Response Issues (& How We Can Help)

Responding to Subject Access Requests is often time-intensive and operationally disruptive. If handled poorly, it can create compliance risk under UK GDPR, such as unlawful disclosures. The common organisational weaknesses that cause those problems are simple:

  • Staff without adequate training who don’t recognise or escalate SARs, or who accidentally disclose information.
  • No templates or standard processes, so every request is handled ad hoc and inconsistently.
  • Lack of clarity about what must be provided, what may be withheld, and which exemptions apply – causing over-disclosure or unnecessary refusals.
  • No policies or SOPs for handling third-party data and document redaction, so teams spend excessive time or make avoidable mistakes.
  • No retention policy or searchable data map, so searches take far longer and produce excessive irrelevant material.

However, at Data Driven Legal, we can take the uncertainty out of Data Subject Access Request (DSAR) compliance by managing the entire process end-to-end on a fixed-fee basis.

To find out more about what we offer and how it applies to your organisation, please book a FREE meeting with one of our subject matter experts.

Get a Quote for Fixed Fee DSAR Service

Book a Meeting

Latest Posts