In an age where personal data is collected, stored and processed more than ever before, individuals are increasingly aware of their legal rights when it comes to accessing their own data.
A data subject access request (commonly referred to as a SAR or DSAR) is one of the key rights available under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This right allows individuals to request access to the personal data that an organisation holds about them. For businesses, correctly managing and responding to data subject access requests is critical to ensuring compliance and maintaining trust with customers, employees and other stakeholders.
Understanding a data subject access request
A data subject access request is a formal request made by an individual to obtain a copy of the personal data that a company or organisation holds about them. This can include data stored in paper files, emails, databases, CCTV footage, and more. The request may also seek information about how the data is being used, who it is shared with, and the organisation’s lawful basis for processing it.
Anyone can submit a SAR in relation to their own personal data, whether they are a customer, employee, former employee, or simply a member of the public. Requests can be made in writing or verbally, and they do not need to mention the UK GDPR or use any specific language. Once a request is received, the organisation has one calendar month to respond, although this may be extended in complex cases.
What information must be provided in response?
When responding to a data subject access request, businesses are required to provide:
- Confirmation that the individual’s data is being processed
- A copy of the personal data itself
- Details such as the purposes of the processing, categories of data processed, data retention periods, and more
- Information on the individual’s rights regarding that data
The data must be provided in a clear and accessible format, and where possible, organisations should offer the information electronically. Businesses should take care not to disclose personal data relating to other individuals unless appropriate consent has been obtained or it is reasonable to do so under the circumstances.
Exemptions and limitations
While individuals have the right to access their personal data, there are certain exemptions under the Data Protection Act 2018 which may permit an organisation to withhold some or all of the requested information. For example, data may be withheld if:
- It includes personal data of other individuals
- It relates to management planning (e.g. redundancy discussions)
- It is covered by legal professional privilege
- Disclosure would prejudice negotiations with the individual
Organisations must carefully assess each request, identify whether any exemptions apply, and document their reasoning if data is withheld. Failure to comply with the rules around SARs could result in enforcement action by the Information Commissioner’s Office (ICO) or reputational damage. The position has been modified by the recent Data Use and Access Act 2025.
Responding to a subject access request
Handling a data subject access request appropriately requires a structured and well-documented approach. Here are some key steps organisations should take:
- Verify the request: Ensure the request comes from the data subject and confirm their identity if needed.
- Acknowledge receipt: Inform the individual you have received their request and the anticipated date of response.
- Locate the data: Search internal systems and databases for all relevant personal data.
- Review and redact: Carefully examine the data for any third-party references or sensitive information that must be redacted.
- Respond within timeframe: Provide the requested information within one calendar month, or explain any necessary extensions.
A clear internal SAR policy can help teams consistently respond to requests while ensuring that legal obligations are met. Businesses may also consider designating a data protection officer (DPO) or specific team to coordinate data protection matters, including SARs.
We are here to help
Discover how our expert commercial and technology lawyers can help you.
Meet our team of commercial solicitors
Organisational responsibilities and best practices
Every UK organisation that processes personal data has a legal duty to comply with the principles of UK GDPR, including the right of access. To reduce the risk of non-compliance, organisations should:
- Train staff regularly on how to recognise and handle SARs
- Maintain clear and accessible SAR procedures
- Implement appropriate data mapping to identify where personal data is stored
- Invest in systems or tools that help locate and manage data requests efficiently
- Maintain a record of all SARs received and how they were handled
Being proactive in your data protection practices not only helps ensure compliance with legal requirements but also builds trust with customers, employees and partners.
Subject access requests from employees
One of the more common scenarios for SARs involves current or former employees. These requests are often made as part of a dispute, grievance or employment tribunal claim. Employers need to be especially careful in these situations, as the risk of accidental disclosure or mismanagement may be higher. It is essential to distinguish between personal data and non-relevant business data and to provide the former in a clear, redacted format if necessary.
What happens if you fail to respond to a SAR?
Failing to comply with a data subject access request can lead to significant consequences. Individuals can lodge a complaint with the ICO, and in some cases, the regulator may issue fines or enforcement notices. Additionally, the data subject may have the right to seek compensation if they suffer damage as a result of non-compliance.
A robust approach to handling SARs, supported by legal advice when needed, is the best way to avoid costly mistakes and foster a culture of transparency and accountability.
How Moore Barlow can help
At Moore Barlow, our experienced data protection and privacy solicitors offer practical, strategic advice to businesses of all sizes on handling data subject access requests. Whether you need support managing complex SARs, creating internal policies, or responding to employee-related requests, we are here to help.
Our team provides clear guidance aligned with UK GDPR and best practice, supporting your organisation in meeting its legal obligations while protecting your reputation and resources.
Contact us
If you would like advice on data subject access requests or any aspect of data protection compliance, please get in touch with our commercial and technology law team. You can contact us by phone or complete our enquiry form, and one of our experts will be in touch shortly.
We are here to help
Discover how our expert commercial and technology lawyers can help you.
Contact our commercial and technology team
Our commercial legal service brochure
Explore our commercial and technology legal services, designed to help businesses prosper. Our team of experienced lawyers provide tailored advice and support to clients across a range of sectors, from start-ups to multinational corporations.

