I’ve received a subject access request. What should I do?

A Subject Access Request (SAR) allows anyone whose personal data you hold (whether they are employees, customers, or others) to request access to a copy of their personal data, as well as information about how it's processed. These requests can come to any part of your organisation, and the person doesn't need to tell you why they want their data – that's their right.

While you’ll need to provide this information free of charge in most cases, you can charge a reasonable fee to cover your admin costs if the request is manifestly unfounded, or excessive, or if additional copies of data are explicitly requested. Handling SARs can still take considerable time and effort.

Getting the right process in place will help you meet those strict UK GDPR deadlines and avoid individuals escalating the matter by complaining to the Information Commissioner’s Office (ICO). If you're looking for support, our data protection solicitors are here to help you handle SARs correctly and efficiently.

What should you do first?

As a first step, you should act fast to:

• Recognise, log and action the SAR: Requests can be made orally, in writing, or electronically e.g. via social media - it could be as simple as someone saying, "I want all the information you have on me since I started." Train all staff to identify these priority requests and establish clear processes for immediate escalation to the appropriate teams or individuals. As soon as you receive a SAR, make sure you record the date you receive it as it will help you track and meet the response deadlines.
• Check identity: Verify the identity of the requester to ensure the data is shared securely to the correct person. The verification process must be proportionate and must not delay your response unnecessarily. Remember it’s possible to make a SAR on behalf of someone else but you’ll need evidence of their authority.
• Note the timelines: You must respond without undue delay and at the latest within one month of receipt of the request. You’re able to get an extension of this period of up to two months, if the request is complex or if you’ve received multiple requests from the individual. Within one month of receiving the request, notify the individual about the extension and explain why more time is needed.

Triage

Before responding to a SAR, consider:

• Who made the request? Identify whether it's from an employee, client, or another party.
• What's the backstory? Review relevant files for context.
• Is the request clear enough? If you process a large amount of information about the individual and require clarification to locate the data, you can ask to specify the information or processing activities their request relates to. In this case, the clock is paused until you receive clarification but only if this clarification is vital.
• What are the technical implications? Assess whether your IT team can conduct the necessary searches within the timeframe. You’ll need to carefully check all relevant databases and systems for personal data linked to the request, including your HR records and emails where the requester is an employee.

Response

When responding, ensure you:

• Provide the correct information: Securely supply the requested data in a clear, accessible format, along with supplementary information about the relevant:
  • Processing purposes
  • Data categories
  • Recipients or recipient categories
  • Retention period or criteria
  • Data source (if not obtained directly)
  • Individual's rights (rectification, erasure, restriction)
  • Details about automated decision-making or profiling.
• Exemptions: Evaluate exemptions that could apply (e.g. legally privileged data) and handle any third-party data appropriately (e.g. if replying to the request would it identify any other individuals).

Strategy

To manage SARs efficiently, put these measures in place:

• Assign responsibility: Nominate a person or team to oversee the SAR process.
• Implement efficient processes: Create digital systems for quick data searches and streamlined handling.
• Draft clear SAR response procedures: Create a robust procedure for responding to SARs that all relevant teams can easily follow.
• Train your staff: Provide ongoing training about recognising SARs, quickly escalating them to the right teams, and updates to data protection laws and ICO guidance.
• Evaluate exemptions: Understand when and why you might refuse a request (e.g. if it is excessive or manifestly unfounded). If you refuse one, record your justification carefully and inform the requester without undue delay and at the latest within one month of receipt. Explain their right to complain to the ICO and enforce their rights.
• Maintain records: Keep detailed documentation to demonstrate compliance.

The ICO can take enforcement action against organisations that don't comply with data protection laws. If you need support handling a SAR, our expert data protection law team can provide practical advice on both SARs and wider UK GDPR matters. For more detailed guidance, including what counts as personal data and specific response timelines, see our comprehensive guide to subject access requests.