Under UK GDPR, individuals have the right to request access to the personal data an organisation holds about them. Known as Subject Access Requests (SARs), these requests must be responded to within 30 days. Responding correctly requires more than simply locating and sending data. For SMEs without dedicated data protection support, SARs can be one of the most time-consuming and high-risk compliance obligations they face.

In this article, we cover why SARs are challenging for SMEs, how the right SAR support can make a difference and how data protection specialists like Data Protection People can help.

Why Are SARs Challenging for SMEs to Handle?

SARs are particularly challenging for SMEs without a dedicated data protection team for several reasons:

• Limited resources mean handling a SAR can be time-consuming, requiring significant staff effort to locate and review data, especially when it’s spread across multiple systems.
• Understanding what falls within scope can be challenging, especially when requests are broad or unclear.
• Applying appropriate redactions to protect third-party rights while providing a complete response requires careful consideration.
• Many SMEs lack standard procedures or templates for handling SARs, leading to inconsistent and inefficient responses.

How Can SMEs Manage SARs Effectively?

Assign Responsibility and Train Staff

Designate a member of staff to manage SARs, whether an internal Data Protection Officer (DPO) or a nominated individual. Ensure employees receive SAR training so they can recognise requests and escalate them promptly.

Consider outsourcing your DPO function to data protection specialists such as Data Protection People. Our outsourced DPO service ensures you have expert support to handle SARs compliantly, along with ongoing data protection support and targeted training to help your team understand when and how to escalate requests.

Implement a Clear Procedure

A clear SAR procedure should outline how requests are received, logged, verified, tracked and closed. It should include the criteria for extensions and the escalation procedure for complex or high-volume cases.

We support SMEs by establishing these procedures, creating templates for consistency and advising on data mapping strategies to locate information efficiently. This transforms SAR handling from a reactive task into a structured, repeatable workflow. We also ensure full documentation is maintained throughout, recording all actions, decisions and communications to provide a complete audit trail.

Define the Scope

Before starting any data search, it’s essential to define what the request covers and what personal data is in scope, particularly where third-party data or sensitive information is involved. This makes the process more efficient and reduces the risk of over- or under-disclosure.

At Data Protection People, we supported an organisation handling a SAR from a long-serving former employee, where the volume of emails and records raised concerns about meeting the deadline. We helped narrow the scope appropriately, clarifying that not all internal correspondence falls within scope. By helping the client interpret the scope, we significantly reduced the workload while maintaining compliance with UK GDPR.

Redact and Prepare Responses

Where third-party personal data is included, redactions must be applied with clear legal justification. Responses must be clear and GDPR-compliant, with any withheld information explained and the legal basis for withholding it explicitly stated.

These situations can be particularly challenging. For example, housing providers may receive SARs from tenants requesting CCTV footage or information relating to complaints made against them. Even where visible data is redacted, contextual elements, such as camera positioning, may still make individuals identifiable.

We support organisations in assessing whether disclosure is appropriate, advising on the limitations of redaction and ensuring the final response is compliant.

Expert SAR Support for SMEs

For SMEs without dedicated data protection resources, having the right support in place is not just a compliance measure; it’s a necessity.

If your business is struggling with SAR management or wants to implement stronger processes, get in touch to find out how Data Protection People can help.