In Short
-
As a data controller under the UK GDPR your business must treat a subject access request (SAR) as a priority, meet strict deadlines and demonstrate accountability.
-
Establish a clear policy, train staff to spot and escalate SARs, map where personal data is stored, use standardised communications and keep detailed records.
-
When a request is complex, involving multiple systems, large volumes or sensitive information, seek legal advice to ensure compliance and minimise risk.
Tips for Businesses
Keep a current SAR policy, train your team to act fast, map your data stores, use templates for replies and document every step. If in doubt, consult a data‑protection solicitor early.
A Subject Access Request (SAR) is a fundamental right under the UK GDPR rules. As a data controller, your business must comply with strict legal rules concerning SARs (with limited scope for extension or exemption) and demonstrate accountability in every response. Because SARs can be challenging and onerous, your business should carefully handle all requests with care and attention to mitigate risk. This article explores practical steps for data controllers to take to handle SARs effectively and reduce risk.
Why Should You Prioritise SARs as a Data Controller?
SARs are key rights that allow individuals to access their personal data and understand how a data controller’s business uses their data.
As a controller, the UK GDPR requires you to respond within strict timeframes. Responding to a SAR also typically involves several key stages. Your business should designate a responsible individual or team, confirm the identity or authority where necessary, ensure the scope of the request is clear, track deadlines, find all relevant data across your systems and prepare an accurate response.
It is therefore vital to prioritise compliance as failing to comply with a SAR correctly or at all could lead to various risks and penalties for your business.
Key Steps for Effective Compliance
Key steps your business can implement to help you handle SARs effectively include the following:
Create and Maintain a Robust SAR Policy
Your business can draft and maintain a clear and up-to-date SAR policy that explains how staff should identify, log, scope and complete requests. The policy should outline key escalation processes for complex cases and guide staff on clarifying the scope or extending deadlines as necessary. You should review the policy regularly to ensure it reflects your current processes, legal rules and regulatory guidance. An up-to-date and compliant policy can also help you demonstrate accountability and provide staff with a reliable reference point to help avoid risk.
This factsheet outlines the steps for notifying the ICO and affected individuals about personal data breaches.
Train Staff to Recognise and Escalate SARs
SARs can be issued in various formats, such as verbally, in writing or electronically. Your business should train all staff to recognise what constitutes a SAR and to escalate it immediately to the appropriate person or team. Practical training exercises help staff understand how requests appear in practice, whether in a customer complaint, a casual email or a conversation. You should also provide regular refresher training so staff stay alert.
Standardise SAR Communications
Handling a SAR can often involve multiple stages of correspondence, including acknowledging receipt, clarifying the scope where necessary, notifying the individual of any extension and issuing the final response. Your business may wish to standardise these communications with templates. SAR response templates could help you save time, reduce errors and ensure consistency.
Using checklists can also help by providing a format for tracking key steps such as logging, ID verification, deadline management and disclosure. However, the actual SAR responses that are provided to the data subject should be carefully tailored to the relevant request.
Maintain Oversight and Records
Your business may keep a central register that tracks every SAR from receipt to closure. The register should record when you received the request, who is responsible for it, what deadlines apply and when you issued the final response. You should also document key decisions, such as whether you sought clarification or extended the response period. Maintaining these records creates an audit trail, enables management oversight, and may help your business demonstrate its steps for compliance if challenged.
Map Your Data and Assign Responsibility
Your business may struggle to respond efficiently if it does not know where personal data is stored. Data mapping is, therefore, a key step in helping you identify relevant systems, applications, and repositories, allowing you to locate information more quickly and accurately.
Obtain Legal Advice and Stay Up to Date
Some SAR request cases can raise complex issues, especially those involving large volumes of material, multiple systems, or sensitive matters. If you are unclear about how to respond to a SAR, your business should seek legal advice from a data protection solicitor. Legal advice can guide you on interpreting and handling complex requests, calculating deadlines and making difficult judgment calls about whether to rely on an exemption or refuse a request. Legal advice can also help you keep track of significant legislative changes, such as the changes brought about by the Data (Use and Access) Act 2025, which clarifies certain timing rules and stop-the-clock provisions concerning SARs.
By planning with strong internal management, processes and procedures, your business will be in a stronger position to meet your SAR requirements correctly and reduce non-compliance risk and penalties.
Continue reading this article below the formKey Takeaways
SARs can be onerous to manage and therefore require strong planning and timely action. Your business can take various steps to help you handle requests, including investing in staff training on processes, data mapping, implementing a SAR response policy and seeking legal advice where necessary. By preparing in advance and treating each request with care, your business can protect itself against legal and reputational risk and strengthen its credibility as a responsible data controller.
If your business needs advice on how to handle a SAR, our experienced data and privacy lawyers can assist you through LegalVision’s membership service. For a low monthly fee, you will have unlimited access to our lawyers, who can answer your questions and draft or review your documents as needed. Call us today at 0808 196 8584 or visit our membership page.
Frequently Asked Questions
A Subject Access Request is a request that allows an individual data subject, whom you process personal data about as a controller, to understand whether you process their personal data, to obtain a copy of that data, and to understand how and why you use it.
Your business can take various steps, including implementing a clear SAR policy, training up staff to recognise and escalate requests, using templates and checklists to standardise communications and save time, maintaining robust internal records, mapping where your data is stored and seeking legal advice when in doubt.
We appreciate your feedback – your submission has been successfully received.
