Subject Access Requests
Skip to main content

Subject Access Requests

In the UK, individuals have the right to access the personal data that organisations hold about them. This right is a cornerstone of data protection legislation, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The mechanism through which individuals exercise this right is known as a Subject Access Request (SAR).

A Subject Access Request is a written request made by an individual (or an authorised representative) to an organisation, asking for access to the personal data that the organisation holds about them. This is not limited to data held in electronic form; it applies to structured paper records as well.

The Importance of SARs

Empowering Individuals: SARs empower individuals by giving them the right to know what personal data is held about them, how it is being processed, and for what purposes. This transparency is essential for individuals to exercise their privacy rights effectively.

Legal Compliance: Handling SARs appropriately is a legal obligation for organisations under UK data protection law. Failure to comply can result in substantial fines and damage to an organisation’s reputation.

Building Trust: By responding to SARs promptly and thoroughly, organisations can build and maintain trust with their customers, employees, and stakeholders.

Responding to SARs: Best Practices

Acknowledge Receipt: It’s good practice to acknowledge receipt of the SAR as soon as possible, even if you need to verify the requester’s identity before proceeding.

Verify Identity: Before processing the SAR, ensure that the requester is who they claim to be, especially if the request is made by an authorised representative.

Understand the Request: Clarify the scope of the request if necessary. Remember, the individual has the right to access their data, not necessarily all documents that mention them.

Act Promptly: Under GDPR, organisations have one month to respond to a SAR. This deadline can be extended by two additional months for complex requests, but the requester must be informed within the first month.

Provide Data in an Accessible Format: The information should be provided in a commonly used electronic format, unless the requester specifies otherwise.

Exemptions and Redactions: Be aware of any exemptions that may apply, and ensure that third-party data is redacted or anonymised to protect the privacy of others.

Handling Charges

As a general rule, organisations cannot charge a fee for responding to a SAR. However, if the request is ‘manifestly unfounded or excessive’, particularly if it is repetitive, a reasonable fee can be charged based on the administrative cost of providing the information.

Subject Access Requests are a fundamental aspect of data protection in the UK, reflecting the importance of transparency and individual rights in the digital age. By understanding and respecting these requests, organisations not only comply with the law but also demonstrate their commitment to privacy and trustworthiness. Handling SARs efficiently and effectively should be a key component of any organisation’s data protection strategy.

Get in touch to discuss this in more detail.

Email for SAR
Liz Burley
privacy policy creation with birmingham law firm burley law
What’s next

Get in touch with Des

Des is your go-to contact for IP and Tech. together with his team, you will be in the best hands for all your technology and commercial law questions.

We are on social media

Connect with us

Message us


Malcare WordPress Security