Subject access requests (SARs) have become a routine part of running a growing business. And while SARs are rooted in data protection law, the reality is most staff SARs land on the desks of HR leaders and People Directors who are already stretched and trying to balance fairness, compliance and internal pressure.
This introductory guide is written for those people: HR leaders, People Directors, COOs and operational leads who suddenly find themselves responsible for ‘sorting the SAR’. You’ll learn legal and best practice tips on what a SAR really requires, how to stay calm and methodical, what’s reasonable to push back on, how to protect the business and when it’s time to call in specialist help. Most importantly, you’ll come away knowing that SARs are manageable when you approach them the right way.
This guide is a practical overview which simplifies certain areas of a highly complex legal framework. Remember - SARs are highly fact-specific and the correct approach can vary depending on the circumstances, the data involved and the wider context. So if you’re managing a SAR that feels complex, sensitive or simply too big for your team’s capacity, our expert data protection solicitors can step in quickly, helping you stay compliant, reduce risk and protect your business during moments that matter most. Get in touch to talk through your situation and understand your options.
Jump to:
- What is a subject access request, and why do businesses receive them?
- Who in the business should handle a SAR, and what does good internal process look like?
- What duties does your business have when responding to a SAR?
- Can we narrow the scope of a SAR - and how do we do it?
- What counts as “personal data” in practice?
- Searching for data: what’s required, what’s reasonable, and what is not?
- Considering redaction: how do we protect other people’s identities and sensitive information?
- When can we withhold information? Key exemptions relevant to HR and operations
- Dealing with SARs in contentious situations (e.g., grievances, disciplinaries, tribunal threats)
- How to manage deadlines - including when the one-month period can be extended
- Communicating with the requester: setting expectations and staying compliant
- Common pitfalls and how to avoid them
- When should businesses seek legal advice?
What is a subject access request, and why do businesses receive them?
A subject access request (SAR) is when an individual asks your business for the personal data you hold about them. They also have a right to confirm whether personal data is being processed about them and to receive various supplementary information required by law about that processing. The supplementary information includes information like the reasons for your processing, the categories of personal data concerned and the recipients you disclose personal data to.
Under the UK GDPR and Data Protection Act 2018, data subjects such as employees, ex-employees, candidates and even contractors have the right to access this information.
In practice, staff SARs are rarely about curiosity. They can often appear when something contentious is going on in the background – e.g. a grievance, performance process, disciplinary, breakdown in trust or early rumblings of a dispute. Employees may use a SAR tactically to understand what’s been said about them, strengthen their position or simply feel more in control of a difficult situation. But (despite their rationale) SARs still need to be handled correctly as they’re governed by strict data protection law rules.
For scaling businesses, this means SARs often arise at the busiest, most sensitive moments. They can expose inconsistencies in internal communication, highlight gaps in process, strain already-fragile employee relationships and non-compliance can result in exposure to complaints and severe penalties. That’s why many HR teams should see a SAR not as a paperwork exercise but as a moment where legal, people and reputational risk converge.
The ICO provide a list of common FAQs for employers on their website.
Who in the business should handle a SAR, and what does good internal process look like?
SARs in an employment context can often sit within HR or People Operations because they intersect closely with employment issues. But handling them well requires coordination across multiple parts of the business: IT for data retrieval, line managers for context, Data Protection Officers, Privacy Managers and Legal (internal or external) for tricky judgement calls.
A smooth internal process usually includes:
- The ability to recognise a SAR and how to handle it - training and awareness can help your teams identify when a SAR arises, if it’s valid and learn how to handle it.
- A named owner - someone confident with deadlines, communication and organising internal stakeholders.
- Early triage - understanding why the SAR has been made, whether there’s a parallel dispute and which systems you’ll need to search or if any exemptions are relevant.
- Clear instructions to IT - including search terms, accounts to review and data formats you need back.
- A realistic internal timeline - because the legal deadline (usually one month) is rarely the timeline you actually need to work to internally.
- Structured review time - especially for redactions if necessary, which can take far longer than expected.
- A response process - to help track, streamline and correctly tackle requests. You can develop a policy to help you respond to requests and templates to help streamline communications.
- A documented record - showing how you handled the request and made decisions, to help evidence your accountability - especially if you refuse a SAR on legal grounds.
Many HR leaders tell us the stress comes less from the legal rules and more from the operational burden - knowing where data lives, securing internal time from busy colleagues, and making defensible judgement calls in the response process.
What duties does your business have when responding to a SAR?
At its core, responding to a SAR means giving the requester:
- Copies A copy of their personal data and supplementary information, (remember a SAR gives the requester the right to a copy of their personal data, but not the right to copies of documentation),
- Within one month of receipt (subject to limited extensions in certain cases),
- In a concise, transparent, secure and easily accessible format with clear and plain language.
But this simple description hides several judgement calls:
- What data counts as personal data? (You’ll need to make case-by-case decisions to decide if information is the requester’s personal data.)
- How far does your search need to go? (Searches need to be reasonable and proportionate and may need to involve third parties holding data on your behalf.)
- How do you balance their rights with other people’s privacy? (This can be the most time-consuming part.)
- Do any exemptions apply? (These could allow you to hold data back and can be particularly relevant in employee disputes.)
Scaling businesses often underestimate the time required because personal data isn’t neatly filed in one place - it’s in inboxes, chats, shared drives and meeting notes.
Can we narrow the scope of a SAR - and how do we do it?
You can’t force an individual to narrow the scope of their SAR - they’re entitled to ask for all their personal information.But you can ask the requester to clarify the information they want, especially if their request covers large volumes of data and it’s reasonable (e.g. if the request is too vague or you hold a lot of information about the person). You cannot refuse to respond simply because the request feels inconvenient. Think of clarification as a practical tool to help focus a request rather than a defence.
Common, legitimate clarification questions include:
- “Are you looking for data from a specific time period?”
- “Are you seeking information about this particular issue or event?”
Most employees don’t actually want every piece of data your business holds. They want what’s relevant to their issue. When framed respectfully and helpfully, clarification can improve trust by showing you are taking their request seriously and reduces workload for both sides.
If you need to clarify a request, a typical approach might be:
- Acknowledge the SAR and request clarification as soon as possible.
- Explain your reasons e.g. that you hold a large amount of potentially relevant data.
- Ask reasonable and targeted clarification questions.
- Make clear that the legal deadline will be paused if the clarification request is genuinely necessary in order to respond but the clock resumes from the date you get clarification.
If the requester refuses to narrow scope, you still need to respond - but you should still carry out reasonable searches..
What counts as “personal data” in practice?
This is where HR leaders often feel least confident. Personal data is any information that relates to an identified or identifiable individual - directly or indirectly. The context in which you hold that information and how you use it can influence whether it’s personal data which falls in the scope of the SAR. This could cover a range of details including identity details, contact details recruitment information, appraisals, CCTV footage, photos but also broader information. In real-world terms, that can include:
- Emails discussing an employee, even if they weren’t copied in.
- Slack or Teams messages between managers about performance.
- Notes from 1:1s or capability meetings.
- Recruitment notes, interview scores and feedback.
- Internal risk assessments relating to conduct or behaviour.
But - and this is where judgement matters - the context affects whether the information is the employee’s data, someone else’s, mixed data, data outside of the scope entirely or where an exemption limits disclosure.
For example:
- A manager’s opinion of an employee will usually be that employee’s personal data.
- A manager’s private notes about how to handle a disciplinary hearing may be mixed data or may be covered by exemptions.
These are the moments where specialist advice avoids accidental over-disclosure or insufficient responses.
Searching for data: what’s required, what’s reasonable, and what is not?
The law expects you to make “reasonable and proportionate” searches to find relevant personal data. It does not require you to make unreasonable or disproportionate efforts e.g. to turn the whole business upside down.
A sensible, defendable approach usually includes sources such as:
- Email accounts - use search tools to identify the individual e.g. within the inboxes of relevant managers or HR.
- HR systems - personnel files, performance records, grievance or disciplinary files.
- Messaging platforms - Teams, Slack, WhatsApp (if used for work).
- Shared drives - especially team folders related to HR or the requester’s role.
- Access-controlled documents - notes from investigations or performance meetings
But you’ll still need to search for personal data about the data subject from all relevant sources. That’s why it’s important to prepare ahead for SARs and not leave things to the last minute. Data mapping and recording your processing activities can make it much faster and easier for you to quickly locate personal data.
What’s not generally required:
- Reopening or recreating deleted accounts which were permanently deleted as part of normal records management.
- Forensic searches of personal devices, unless the business explicitly authorised those devices to be used for work purposes and personal data of the requester is held on them. This is complex so seek legal advice.
- Searching systems you are fully confident the requester never interacted with and do not contain any of their personal data.
A good rule of thumb: if you can articulate your search rationale clearly to demonstrate it’s reasonable and proportionate and it maps sensibly to where relevant data is likely to be, you’re usually on safe ground.
Considering redaction: how do we protect other people’s identities and sensitive information?
There’s no need to provide documents to an individual, but it can sometimes be easier for you to produce redacted documents containing their personal data. Redaction (where necessary) can be one of the most resource-heavy part of responding to a SAR - and where mistakes carry the greatest risk. Before handing over personal data to the requester, you must review it to check if it contains personal data about others.
You may need to redact:
- Data about other individuals such as other employees or third parties unless they’ve consented or it’s reasonable to share the information. This is complex so legal advice on this.
- Legally sensitive information - such as internal legal advice that may be privileged.
- Confidential business information where it’s not personal data and completely outside of the scope of the SAR request.
Redaction isn’t about hiding embarrassing communication (even though people sometimes wish it were). It’s about ensuring you don’t infringe someone else’s privacy rights while complying with the requester’s.
The hardest scenarios can involve “mixed data” - for example, where a manager’s email contains both a description of an employee’s performance (the requester’s data) and personal data and comments about a different colleague (someone else’s data). In these cases, you must balance competing rights, and it’s common - and often wise - to seek legal advice
When can we withhold information? Key exemptions relevant to HR and operations
Exemptions are where SARs move from administrative to genuinely legal. They’re limited but powerful - and misapplying them can undermine trust and create legal risk.
Commonly relevant exemptions include:
- Management forecasting or planning - for example, where disclosure would likely prejudice the conduct of the business, such as revealing planned redundancies or succession decisions.
- Negotiations - such as internal discussions about settlement terms where disclosure would prejudice the negotiation (but this can be narrow practically).
- Legally privileged material - including advice from solicitors about grievances, disciplinaries or litigation risk.
- Confidential references - written or given in confidence for employment purposes.
- Crime and regulatory exemptions – may be relevant where allegations of misconduct or fraud are under investigation.
The challenge is that exemptions must be applied narrowly and on a case-by-case basis. You can’t withhold information simply because it paints the business in a difficult light, or because the requester might use it against you - which is often exactly what stakeholders fear.
If your SAR touches on discrimination allegations, whistleblowing, financial irregularities or ongoing tribunal claims, specialist advice becomes essential.
Dealing with SARs in contentious situations (e.g., grievances, disciplinaries, tribunal threats)
SARs often appear when employee relations are already strained. Sometimes they’re used tactically - as a fishing exercise, to test the business’ preparedness, uncover inconsistencies or build leverage ahead of a claim.
When the relationship is fragile, your SAR response becomes more than a compliance exercise. It can influence how the dispute unfolds and a bad response can further aggravate an unhappy employee.
Despite their employment situation, your SAR obligations under data protection laws still apply. A SAR response that’s rushed, incomplete, incorrect or ignored can escalate matters and could lead to more problems such as complaints and regulatory penalties.
Good practice in contentious scenarios includes:
- Separating the SAR process from the employment process - even if the same people are involved.
- Maintaining neutrality – avoid defensive commentary in emails or cover letters that could be misinterpreted.
- Ensuring compliance - particularly when considering the need to disclose documentation in employment tribunal proceedings verses personal data in a SAR response.
- Documenting your decisions - especially around redaction, scope and exemptions.
If the dispute may lead to litigation and an element involves a SAR, involve both employment and data protection solicitors early. Not only to protect privilege but to ensure your SAR response doesn’t inadvertently weaken your defence.
How to manage deadlines - including when the one-month period can be extended
The legal starting point is straightforward: you must respond without undue delay and at latest within one month of receiving the SAR, or within one month of receipt of any information you reasonably need to confirm identity, confirmation that a third party is authorised to act on behalf of the requester or a fee (if you’re permitted to charge one in rare situations). But there are practical nuances:
- Clarification can pause the clock - but only if the request is unclear and you genuinely need clarity to proceed.
- You can extend by two further months for complex or multiple rights requests, provided you tell the requester within the first month and explain the reasons for the extension.
- Business closures don’t stop the timeline - so internal planning matters.
Most HR teams underestimate how much time redaction absorbs. In large organisations, reviewing even one manager’s email history can take days. That’s why early triage - and honest internal communication - is essential.
Communicating with the requester: setting expectations and staying compliant
Clear, helpful communication is often what keeps a SAR from spiralling. Your goal is to show the requester you’re taking their rights seriously while managing expectations about timescales and process.
Your communications should:
- Acknowledge promptly - ideally as soon as possible.
- Clarify scope - politely, and only where reasonable.
- Avoid emotional language - especially in contentious contexts.
- Explain the next steps - including when they can expect updates.
- Be careful- assume your response could later be challenged.
Even when things are tense, keep the tone factual and professional. You’re not trying to ‘win’ the communication; you’re trying to demonstrate compliance and fairness.
Common pitfalls and how to avoid them
If you ask HR leaders what makes SARs stressful, the same themes appear again and again. The good news? They’re predictable - and may be preventable.
Typical pitfalls include:
- Under-scoping searches - missing folders, shared drives or informal messaging channels.
- Over-scoping searches - drowning yourself in irrelevant data because you didn’t clarify early.
- Inadequate redaction - especially where multiple people’s data appears in the same email chain.
- Not documenting decisions - making it harder to justify your approach if challenged later.
- Letting internal politics skew judgement - particularly when line managers are anxious about what might be disclosed.
- Missing legally privileged content - risking disclosure of strategic advice.
- Forgetting data stored outside central systems - like screenshots, downloads or archived investigation notes.
The businesses that handle SARs well typically have a repeatable workflow, a calm internal lead and early access to legal advice when a SAR crosses into complex territory.
When should businesses seek legal advice?
Some SARs are simple. Many are not. A good rule is: if you feel even a flicker of doubt about whether you should push back on the request, or whether you might disclose too much or too little, that’s a sign to get help.
Typical triggers for seeking solicitor support include:
- High-volume SARs - involving multiple custodians, historic data or large email datasets.
- Contentious matters e.g.where a SAR is made against the background of grievances, disciplinaries, whistleblowing or discrimination allegations.
- Mixed personal data - where competing privacy rights are difficult to balance.
- Legally privileged material - including advice about the dispute, dismissal strategy or tribunal risk.
- Senior employees - where reputational stakes are higher and communications are more complex.
- Requests made alongside litigation threats - where disclosure strategy needs careful review and alignment.
- Understanding when you can refuse a request -in limited cases, you may be able to refuse the SAR altogether (e.g. if the request is manifestly unfounded or excessive)
A well-handled SAR can diffuse tension, strengthen trust and demonstrate your business takes people’s data protection rights seriously. But SARs can also become overwhelming - especially when they collide with employee relations challenges, tight deadlines or complex judgement calls about redaction and exemptions where necessary.
With a structured approach, clear communication and a steady hand, you can manage SARs more confidently. And when you’re facing a high-risk, high-volume or contentious request, getting early legal input can save significant time, cost and stress.
