Subject Access Request: How to deal with a SAR
Learn how to handle Subject Access Requests (SARs) effectively with this step-by-step guide. Stay compliant with UK GDPR, avoid ICO penalties, and prepare your organisation for a surge in SARs this summer.

Subject Access Requests: Prepare Now for the Summer Spike Amid Data Breach Fears
Recent cyber incidents involving major UK retailers and service providers have reignited public concern about how personal information is stored and used. As data breaches dominate the headlines, individuals are becoming more proactive about protecting their privacy and one of the most powerful tools available to them is the Subject Access Request (SAR).
At Data Protection People, we anticipate a significant increase in SARs over the coming months. When public trust is shaken, it’s common for people to ask questions like, “What information do you hold about me?” and “What are you doing with it?” For data protection teams, this means more scrutiny, tighter deadlines, and a greater need for internal coordination.
If your organisation isn’t yet braced for this wave, now is the time. The Information Commissioner’s Office (ICO) expects timely responses, regardless of resource pressure. Here’s how to manage SARs effectively, even under increased demand and maintain compliance without compromise.
What Is a Subject Access Request?
A Subject Access Request (SAR) is a legal right that enables individuals to access information about how an organisation handles their personal data. This typically involves providing copies of the personal data held by the organisation, as well as details about the purpose of processing, the duration of data retention, and any third parties with whom the data may be shared. This right is granted under the UK General Data Protection Regulation (UK GDPR) , specifically Article 15 of the Regulation.. The purpose is to give people greater visibility and control over how their personal information is being collected, used, and shared.
“Personal data” refers to any information that can identify an individual, either directly or indirectly. This could include names, addresses, contact details, email correspondence, CCTV footage, HR records, medical notes, or even recorded phone calls. Essentially, any data linked to an identifiable person.
Organisations have a duty to recognise and act on these requests promptly, even if the request is informal. Failing to respond appropriately can lead to enforcement action by the Information Commissioner’s Office (ICO) and potentially damage the trust and reputation your organisation has worked hard to build.
Responding to SARs effectively isn’t just about ticking a compliance box, it’s about respecting individuals’ rights and demonstrating your organisation’s commitment to data protection and transparency.
Step 1: Spot the Request Early
The first step in successfully handling a Subject Access Request (SAR) is being able to identify one in the first place and it’s not always obvious. SARs don’t need to come with legal language or follow a specific format. In fact, many individuals won’t use the words “Subject Access Request” at all. They may simply say something like, “Can I see the data you’ve got on me?” or “I want copies of all emails where I’m mentioned.”
These types of requests can arrive in a wide range of ways, via email, contact forms, live chat, social media, phone calls, or even through face-to-face interactions. This means any employee, not just those in legal or compliance, could be the first point of contact.
What organisations must do:
- Train all staff to recognise a SAR when they see one.
- Create a clear, internal escalation process so front-line teams know where to direct requests.
- Develop and share example scenarios in training materials to reinforce awareness.
Top tip: Always log the exact date the request was received. This marks day one of your legal deadline, which is one calendar month to respond in full.
Step 2: Confirm Identity
Before you disclose any personal data, it’s essential to ensure that the requestor is who they say they are. If you have genuine doubts about their identity, you’re entitled to ask for additional information to verify it.
However, this should always be reasonable and proportionate. For example, asking for a utility bill or photo ID might be acceptable in some contexts, but overly intrusive checks can be seen as obstructive and may breach data protection principles themselves.
Key considerations:
- Tailor the request for ID based on the sensitivity of the data being requested.
- Don’t use ID verification as a way to delay the process. You should only pause the one-month clock if you genuinely cannot proceed without further confirmation.
- Ensure all ID documents received are handled securely and not retained longer than necessary.
Step 3: Clarify the Request (When Needed)
Not all SARs will be clear. Some may ask for “all the data you have on me,” which can span thousands of documents across multiple systems. In these cases, it’s acceptable and often helpful to ask the individual to clarify their request. This could involve:
- Specifying a date range
- Naming a particular department or employee
- Indicating the kind of interaction or context (e.g., job application, customer service complaint)
However, it’s important to understand that you cannot refuse or delay processing the request purely because it’s broad. Start gathering what you can while awaiting clarification.
Best practice:
- Keep any clarification requests polite, clear, and focused.
- Document all correspondence in case of future ICO review.
Step 4: Search Thoroughly
This is often the most time-consuming part of the SAR process. Identifying and locating all personal data related to the individual. This includes both digital and physical records, structured and unstructured data, and any data that directly or indirectly identifies the individual.
Areas to check may include:
- CRM and HR systems
- Emails and email archives
- Shared drives and cloud storage
- Instant messaging tools (like Teams)
- Databases, forms, spreadsheets
- Paper files and filing cabinets
- CCTV footage (where facial recognition or identifying context is present)
It’s easy to overlook less formal storage locations such as inbox folders or team-shared documents. Make sure your organisation has a comprehensive SAR search protocol to avoid missing key data. In order to make the search process as simple as possible organisations should document their common search areas and ensure that data is only stored within specified locations to allow for easy retrieval.
Step 5: Review and Redact
Once the relevant data has been gathered, it’s critical to review all of it carefully before disclosure. You are legally required to protect the rights and freedoms of others, which includes ensuring you don’t inadvertently release information that belongs to a third party.
This is where redaction becomes essential. Any reference to other individuals (names, emails, opinions, etc.) may need to be removed or anonymised.
In addition, certain exemptions under the Data Protection Act 2018 may apply. Common exemptions include:
- Legal privilege (e.g., communications with solicitors)
- Management information (e.g., confidential HR evaluations)
- Negotiations or legally confidential references
- Data processed for crime prevention or national security
Tip: Document your decision-making process when applying exemptions or redactions, this can help protect your organisation if challenged.
Step 6: Respond Within One Calendar Month
Once you’ve reviewed and prepared the data, you must respond to the individual within one calendar month of receiving the request. If the request is particularly complex, involving multiple data sources or large volumes of information, you may extend the deadline by a further two months, but you must inform the individual of this within the original one-month window.
Your response must include:
- A copy of the personal data, in an accessible, commonly used format (e.g., PDF or Word)
- Details of how you have undertaken the SAR (e.g. the search parameters and search terms used)
- Details of redactions and exemptions applied if any to ensure that individuals are aware of why redactions have been made.
- A reminder of the individuals right to complain to the ICO.
Important note: The response should be clear and easy to understand. Avoid jargon and make the data as digestible as possible especially when responding to members of the public.
Getting SAR Read: Practical Steps for Organisations
With SAR volumes likely to rise this summer, preparation is key. Here’s how your organisation can get ahead:
- Audit Your Data
Understand what personal data you hold, where it lives, and who is responsible for it. The more you know about your systems, the faster you can respond to a SAR.
- Create or Refresh Your SAR Process
Have a clear, documented workflow in place that outlines roles, responsibilities, and timeframes. Automating parts of this process. Such as search and redaction, this can save valuable time.
- Upskill Your Staff
Ensure staff across departments know how to spot a SAR and escalate it. Offer training or guidance to reduce the risk of delays or mismanagement.
- Allocate Resources
Plan for peak periods by ensuring your data protection team isn’t stretched too thin. Consider temporary support or tools that can streamline response tasks.
Why It Matters More Than Ever
A well-handled SAR isn’t just a regulatory obligation, it’s a reflection of your organisation’s commitment to transparency and trust. In the wake of data breaches and public concern, timely and accurate responses help rebuild confidence and show that you take data protection seriously.
Delays, missed deadlines, or incomplete responses won’t just frustrate individuals. They could trigger investigations or fines from the ICO.
Need Help Managing SARs at Scale?
As the UK’s number one data protection consultancy, Data Protection People supports organisations of all sizes in handling SARs quickly, securely, and lawfully. Whether you need a one-off audit or an end-to-end SAR handling solution, we’re here to help.
Get in touch today — and stay one step ahead of the summer SAR surge.