Data Subject Access Requests – Everything you need to know

Understanding how to handle a Data Subject Access Request (SAR) is a legal and operational necessity for any organisation processing personal data. Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, individuals have the right to request access to their personal data and organisations must respond lawfully, thoroughly, and within set timeframes.

Whether you’re responding to a simple request or navigating more complex scenarios involving exemptions or redactions, getting it wrong can expose your business to legal and reputational risk.

This guide is designed to help you recognise and respond to SARs confidently and compliantly. It explains your legal obligations as a data controller, the rights of individuals making a request, how to verify identity, manage exemptions, and ensure any response you issue is clear, secure, and legally sound. With practical steps and expert insights, we’ll help you embed good practice and minimise risk when handling SARs across your organisation.

1. Legal obligation – UK GDPR and DPA 2018, including individual’s rights

Under UK law, specifically the UK General Data Protection Regulations (UK GDPR), individuals have various rights relating to their personal data, including but not limited to the right of subject access under Article 15 and recital 63 of the UK GDPR. In practice, this means that an individual has the right to make a request for copies of any of their personal data (and supplementary information) that another individual or organisation is holding on them where that organisation is a data controller, this is known as a Subject Access Request (SAR).

The UK GDPR defined a controller as: “A natural or legal person, public authority, agency, or other body operating alone or jointly with others to determine the reasons to collect and process personal data.” This means an individual or company can be a data controller. Controllers exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing.

This guide focuses on how organisations should handle and prepare for an SAR.

Organisations cannot plead ignorance when it comes to SARs, it is important that they know: how to recognise a SAR, how long they have to respond to one, what exemptions they can rely on, how to properly respond and what they can do in their business to properly handle any SAR it receives.

Top tip: read this guide and use Section 8 as a checklist for your organisation’s SAR compliance and preparedness.

What information are individuals entitled to under Article 15?

Individuals have the right to:

• Obtain confirmation from the controller that it is processing their personal data.
• Access their processed personal data, including receiving a copy on request (unless providing a copy adversely affects the rights and freedoms of others).
• Obtain certain information about the controller’s processing including:
  • purposes of data processing;
  • categories of personal data processed;
  • recipients or categories of recipients who receive personal data from the controller;
  • how long the controller stores the personal data, or the criteria the controller uses to determine retention periods;
  • information on the personal data’s source if the controller does not collect it directly from the individual;
  • information on the safeguards used to secure cross-border data transfers, if applicable; and
  • whether the controller uses automated decision-making, including profiling, the auto-decision logic used, and the consequences of this processing for the individual.

There are limitations on SARs and what is inside and outside the scope of one. Organisations should be aware of the following:

• Full documents – An SAR isn’t a right to documentation. Just because an individual’s name appears in an email, report or letter doesn’t mean they’re entitled to the whole document.
• Anonymised data – If personal identifiers of an individual have been removed from a dataset, and it’s truly anonymised, it no longer falls under the scope of data protection law and does not need to be provided under an SAR.
• ‘Loose’ notes – Personal data which is not part (or intended to be part of a structured filing system) is not in scope. For example handwritten notes about an individual in a personal notepad where there’s no intention to formally file these notes would not need to be included.

2. Identifying a SAR

An individual can make an SAR either verbally or in writing (by letter, email or even social media). There is no specific form that an individual must use or terms they must include in their request for it to be valid, i.e., they do not have to refer to the UK GDPR, or even use the phrase ‘subject access request’. An organisation may choose to have a standard form that individuals can fill out to submit an SAR, however this does not mean that any SAR submitted not using the form is invalid, and this needs to be made clear to individuals.

The individual only needs to make it clear that it is their own personal data they are asking for (or the personal data of a specified individual if they are requesting it on behalf of another person).  Before responding you must be satisfied that the individual making the request is the individual whose personal data they are holding. An organisation may request identification from the individual to confirm their identity before they disclose any personal data.

An individual may ask a third party (e.g. a family member or solicitor) to make a SAR on their behalf. Before responding, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of their authority, this can be done by the individual providing a letter confirming the third party has permission to make the SAR on their behalf. If there is no evidence that a third party is authorised to act on behalf of an individual, you are not required to comply with the SAR. However, you should still respond to them explaining this.

Top tip: Have a clear and easily found page on your company website with your SAR policy and a standard SAR form for data subjects to use.

3. Response times

You must comply with a SAR without undue delay and at the latest within one month of validating the individual’s identity. You can extend the time to respond by a further two months if the request is complex, i.e. there may be technical difficulties retrieving the information or you need to seek legal advice, or you have received a number of requests from the individual.

If you need to seek clarification on the SAR, i.e., due to there being a large about of information on the individual, then you may ask for that clarification from the individual, and the clock for responding to the SAR is paused until you receive that clarification.

Top tip: Once you have received an SAR, set regular calendar reminders of the deadline and keep it updated following pauses, or extensions.

4. Refusal and Exemptions

You need to make reasonable efforts to find and retrieve the requested information, however there are several exemptions or valid reasons for refusal that can be relied on. SARs can be refused in whole or in part.

Where an exemption applies, you may be required to apply it, but depending on the circumstances you may choose to disregard it. Blanket exemptions should not be applied, and each exemption needs to be properly considered in light of the specific circumstances of the SAR. When relying on an exemption you need to document the reasons for refusal and be able to justify your reliance on the exemption.

Exemption examples:

• Legal professional privilege, e.g. A solicitor’s internal notes about legal strategy in an ongoing employment tribunal case involving the requester. These notes are protected and do not need to be disclosed.
• Crime and taxation, e.g. HMRC holds data on a person suspected of tax evasion. Disclosing this information could prejudice an ongoing investigation, so it may be withheld.
• Health, education and social work, e.g. A social worker’s report includes sensitive information about a child’s welfare. Disclosure could cause serious harm to the child or another individual, so redaction or refusal may be justified.
• Exam scripts and exam marks, e.g. A university student requests a copy of their handwritten exam script. The script itself is exempt, but the student is entitled to receive their marks and any examiner comments.

A full list of exemptions to complying with an SAR can be found on the ICO’s website.

You can refuse to comply with an SAR if it is either manifestly unfounded, i.e., the individual has malicious intent or has submitted the SAR in order to harass the controller, or if the SAR is manifestly excessive, i.e. the request is disproportionate to the burden of costs on the controller in complying with the request. The nature of your relationship with the individual and the circumstances that may have prompted their SAR can add complexity to processing it. While understanding the context is important, it’s essential to maintain the right balance. Unless clearly vexatious, an individual’s motive should not influence the upholding of their rights.

5. The Obligation to Searching for requested information

Organisations need to make reasonable efforts to find and retrieve the information requested by the individual, however, they are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.

Example

An ex-employee submits a SAR requesting “all personal data ever held about me” during their 20-year employment at a large multinational corporation. This includes every email they were copied on, every internal message mentioning their name, and all documents they may have contributed to or been referenced in.

This request would be disproportionate as:

• The request would require searching through millions of emails and files across multiple systems, departments, and archived backups.
• Many of the documents would contain personal data of other individuals, requiring extensive redaction.
• The cost and time involved in reviewing, redacting, and compiling the data.
• The individual has not specified any particular time frame, topic, or type of data, making the request overly broad and unfocused.

Top tip: Involve your IT department early to locate data efficiently, especially if you are a large organisation.

Once you have found the information requested, there are still other considerations you need to take into account before responding to the SAR, these include (but are not limited to):

• Protecting the privacy of others;
• Protecting the intellectual property of your business;
• Maintaining confidentiality;
• Potential conflict with other legal obligations; and
• Avoiding over redaction.

6. Form of response – including refusing a request

Any response provided to an individual needs to be concise, clear and plain language and easily accessible including in writing.

In your response you must inform the individual that they have:

• the right to request rectification or erasure of personal data;
• the right to restrict or object to certain types of personal data processing; and
• the right to make a complaint with the Information Commissioner.

Any information that you do disclose should be done so securely, e.g., in encrypted form followed up by a password sent separately. The level of security required will depend on the nature and sensitivity of the information, for example if it is special category, medical or criminal offence data.

If you refuse (for any reason) to comply with a SAR (in whole or part), in your response you must inform the individual of:

• the reasons why;
• their right to make a complaint to the ICO or another supervisory authority; and
• their ability to seek to enforce this right through the courts.

Copies of personal data must be provided free of charge; however, a reasonable fee (based on administrative costs) may be charged where further copies are requested by the individuals. Additionally, where SARs are manifestly excessive or unfounded, the controller may charge a reasonable fee to provide the information. This fee must also reflect the administrative costs of complying with the request, such as locating, reviewing, and redacting the data.

Top tip: Have a standard response template for all SAR’s that can be tailored to ensure consistency across your organisation.

7. Redacting third party information

Under the Data Protection Act 2018, there is an exemption that allows you to withhold information in response to a Subject Access Request (SAR) if providing it would reveal the identity of another individual. This exemption applies unless:

• the other individual has given their consent to the disclosure; or
• it is reasonable to provide the information without that individual’s consent.

While it may be permissible in some cases to disclose information about a third party, you must assess whether doing so is appropriate in each situation. This involves balancing the requesting individual’s right of access with the third party’s right to privacy regarding their own personal data.

If the third party has given consent, withholding the information is generally not justifiable. If no consent has been given, you must then decide whether disclosure is still reasonable.

Questions to consider in this scenario are:

• Can the information it be removed or redacted?
• Is the information sensitive?
• Is it fairly innocuous and reasonable to disclose without consent?
• Is there a duty of confidence?

When making this decision, you should consider whether a duty of confidentiality exists. Such a duty typically arises when someone shares genuinely confidential information, meaning information not publicly available with the expectation that it will be kept private. This expectation can be based on:

• the nature and context of the information, such as revealing that the third party is under investigation;
• there is a relevant non-disclosure agreement in place; or
• the relationship between the parties, such as a doctor–patient relationship, which usually carries an inherent duty of confidence.

If the third party has not consented and you conclude that disclosure is not reasonable, you must withhold the identifiable information. However, you are still required to provide as much of the requested data as possible, excluding or redacting details that would identify the third party. Depending on the context, redaction may allow you to release some of the information without breaching anyone’s privacy.

8. What steps do you need to take to prepare for an SAR

At an organisational level, it’s important to put safeguards in place to reduce the risk of human error when handling SARs. For example:

• Implement robust systems to record and track SARs;
• Ensure staff responsible for handling requests are properly trained;
• Establish procedures to verify email or postal addresses before sending responses.

To help you prepare effectively for handling SARs, consider the following (non-exhaustive) measures:

1. Awareness – Make information available to individuals about how to submit a SAR, such as on your website, in privacy notices, or through printed materials.
2. Staff Training – Provide general training to all employees so they can recognise a SAR. Offer more in-depth training to relevant staff, depending on their role, to ensure proper handling of requests.
3. Internal Guidance – Create a dedicated intranet page for staff with resources, including links to SAR policies and procedures.
4. Designated SAR Handling Team – Appoint a specific individual or central team responsible for managing SARs. Ensure more than one person is trained to handle requests to provide cover during absences.
5. Personal Data Registers – Maintain up-to-date records that detail where and how personal data is stored, especially as most data will be held in the IT system These speed up the process of locating the data needed to respond to SARs.
6. Standard Checklists – Develop a checklist that staff can follow to ensure a consistent and compliant approach to handling requests.
7. SAR Logging – Keep a log of all SARs received to monitor progress. This log can include copies of information disclosed, any redacted or withheld material, and the reasons for non-disclosure.
8. Retention and Deletion Policies – Document your data retention and deletion policies. This ensures personal data isn’t held longer than necessary, which in turn limits the volume of data you may need to review for a SAR.
9. Secure Data Transmission – Put security measures in place to protect personal data when sending it, such as using trusted couriers, verifying recipient email addresses, and reviewing all responses before sending.
10. Strong records management practices support SAR handling – these include a well-organised file structure; and standardised naming conventions for electronic documents.
11. Technology – specialist tools are available that help reduce the time and cost in identifying personal data held on an individual and the making of any redactions that might be needed to protect third parties.

These preparations help ensure SARs are handled efficiently, consistently, and in compliance with data protection requirements.

9. What MB can do to help

We offer support in handling SARs, including assistance with preparing compliant responses, whether fulfilling the request or issuing a lawful refusal. We can also help develop a tailored SAR policy for your organisation.

Beyond SARs, our expert team provides advice on the full range of data protection issues to ensure that you comply with data protection and privacy regulations, including:

• privacy policies and notices;
• data processing agreements;
• supplier agreements and subcontracting dealing with personal data;
• agreements to transfer personal data outside of UK/EU.
• data breach reporting and minimising reputational damage;
• personal data and marketing communications;
• data protection audits; and
• training and webinars.