Responding to a Subject Access Request (SAR)

Responding to a Subject Access Request (SAR)

'I’ve received a subject access request. What should I do?'

A subject access request (SAR) is a request made by an individual to access their personal information held by an organisation. The individual is entitled to do so under UK GDPR. 

A SAR can be made to any person or function at your organisation and there’s no need for the data subject to explain why they want it. Responding to a SAR can take up a lot of time and resources and in most cases, must be responded to free of charge.

Having a suitable process in place can help keep your customers happy, while ensuring your business is compliant with UK GDPR.

What shall I do first?

  • Be able to identify a SAR – A SAR can be made orally or in writing to any person in an organisation. There’s no need for the individual (data subject) to make a request in writing. It’s as simple as saying 'I want all information that you have on me since I began work'.
  • Identify the data subject – You have one month to respond once you have confirmed their identity. This can be extended for a further two months if the SAR is complex, or you have received many requests from the data subject.
  • Forward the request – Immediately forward the SAR to the right department to deal with.

Triage

Once a SAR is made, it needs to be immediately forwarded to the correct department. Our data protection solicitors can help organisations evaluate whether the request is valid or whether any statutory exemption applies. Should it be a valid request, as time is of the essence, we will help provide a strategy of next steps.

Strategy

We will help develop an effective strategy once we have identified the specifics of the SAR.

Strategy requires teamwork. Below are just a few of the questions we may ask, overall, these would be dependent on the SAR itself – once we have the answers, we will take care of the response whether it’s to provide the information or reject the request.

  • Who sent the SAR? What’s their relationship with the organisation? Is it an employee or client?
  • Are they who they say they are?
  • What’s the backstory? Are there any personnel or client files we need to review?
  • Why do you think this SAR has been prompted? Has there been any initial or previous complaints? Was the complaint well-founded? Is there an investigation record of the complaint?
  • Any technical hurdles to think about? Will IT be able to conduct a search of words? How long will the discovery stage take? Do we need to ask the data subject for more time prior to the one-month time limit ending?
  • Do you have the time and resources to deal with this? Do we need access to your systems?

Remember, to find the right strategy, you and your data protection solicitor must exchange information until you are able to respond to the SAR. We will do whatever possible to be able to establish a road map to a response, including search terms and redaction of confidential and personal data prior to the information being sent to the data subject.

The response to the data subject

Our next steps will be to assess whether a response is permitted in the first instance. If it’s not, we will assist in drafting an appropriate response for you. If the SAR is valid, then we will assess thoroughly all the information available, including whether anything needs redacting prior to confirming that the information is ready to be sent to the data subject. Our strategy will be bespoke and one that is tailored to your needs.

Some key points to consider

  • Nominate a person responsible for dealing with SARs
  • Educate your staff to recognise when a SAR is being made
  • Deal with SARs promptly
  • Implement measures to deal with these requests swiftly
  • Move away from paper files and towards computer-based systems to allow for easy searches
  • Draft a SAR procedure that staff can follow
  • Consider when and whether exemptions apply (We can help you with this. Schedules 2 and 3 of the DPA 2018)
  • Maintain SAR records for compliance
  • If you are not a data protection expert, seek advice!

The ICO may take necessary enforcement action against a controller or processor if they fail to comply with data protection legislation.

If your business has received a subject access request and requires assistance, our expert data protection team are ready to help with pragmatic advice on SARs and any related GDPR matters. You may also like to see our article answering common questions: What is a subject access request?



What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Capital Tower Business Centre, 3rd Floor, Capital Tower, Greyfriars Road, Cardiff, CF10 3AG
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry