Skip to content

What Are the Benefits of Using a Lawyer to Handle Subject Access Requests in England?

Table of Contents

Many business owners in England know the risks of mishandling Subject Access Requests (SAR). In recent years, an increasing number of individuals and employees are seeking SARs to extract information from organisations, often to pursue legal action. The General Data Protection Regulation (GDPR) has rules governing how your organisation should correctly handle these requests. Failure to do so may result in the Information Commissioner’s Office (ICO) investigating your company and fining you. This article will explore the advantages of using an experienced lawyer to help your business handle and process Subject Access Requests in England.

What is a Subject Access Request? 

A Subject Access Request (SAR) is a request from an individual (usually in writing) for a copy of all information held about them. Some SARs are specific, for example, asking for all emails mentioning them by name during a particular period. On the other hand, some are more general, for example, asking for all personal data relating to them during their entire time with an employer. However detailed the SAR, the same rules apply to your organisation. 

These rules include:

  1. the individual should receive a copy of the data requested in digital or printed form;
  2. your organisation must provide the information within one calendar month of receiving the request (with limited exceptions); and
  3. you should inform the individual of any other party who has received that data.

Previously, businesses in England were able to request a small fee (of £10) to process a SAR. However, today, the GDPR no longer allows this (with limited exceptions). Although handling a SAR appears straightforward, many businesses face significant issues and can benefit from seeking legal assistance. 

Let us explore some of the main advantages of doing so below.

Ensuring Correct Correspondence

One of a company’s main tasks when receiving a SAR is to ensure regular and accurate correspondence with the individual. This could include:

  • a letter or email acknowledging receipt of the SAR;
  • a written request for further information to help carry out the SAR;
  • any update letter confirming the progress of the SAR; and
  • correspondence enclosing SAR materials (and explaining the reasoning for withholding any information).

Some of these letters require personalisation, where a lawyer’s drafting skills and knowledge of GDPR rules will be essential.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Knowledge of When to Request Further Information

Before responding to a SAR, you must ensure your company has enough information to comply with it. Many individuals ask for a copy of ‘all information held about me’ when, in reality, they have a core purpose that requires far fewer materials. By narrowing the scope of information to process, you can save time and effort for your business.

It may be advisable to send a tailored letter to the individual requesting further details regard their SAR. Accordingly, an experienced lawyer can:

  • offer detailed advice;
  • draft any relevant letter; and
  • ensure your company does not spend too much time or effort searching for materials.

Advice on the Correct Redaction of Data

It is essential only to provide relevant information relating to that individual and to not accidentally disclose personal data relating to others. A lawyer can advise your company on:

  • which parts of data your company should not disclose;
  • which parts should be redacted (a process that blanks out irrelevant information using black bars); and
  • which documents your company should not mention due to ‘legal advice privilege’ (which protects legal advice given to your company by its lawyer).

Disclosing incorrect information or failing to disclose enough information can constitute a breach of the GDPR. Therefore, it is vital to know which documents you should and should not provide to the individual.

Extending the SAR Deadline

There are certain circumstances in which your organisation can spend more than one calendar month responding to a SAR. However, the GDPR limits your company to specific situations and requires you to provide the individual with written reasons for doing so.

The main exemptions include where:

  • the SAR is very complex in nature; or
  • the individual has provided multiple SARs during a specific period, which either overlap or cause your organisation difficulty responding within one calendar month.

An experienced lawyer will be able to advise you on the meaning of ‘complex’. Furthermore, they can advise whether your company is eligible to extend the one month deadline. This is particularly important as claiming you have an extension when you do not is a breach of the GDPR. Furthermore, such an error is likely to result in an ICO penalty.   

Key Takeaways

While using a lawyer is not mandatory, obtaining legal advice on subject access requests can ensure that your business meets its legal obligations. After all, if your organisation handles a SAR poorly, you may face an irate individual and a potential ICO investigation.

If you need help handling subject access requests, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Why are expert lawyers well placed to help my business handle SARs?

One reason is that the GDPR contains many rules governing SARs, of which many lawyers have a detailed understanding. Experienced lawyers are also aware of the safe limits of various exemptions and when the ICO may criticise the approach of a business (and consider imposing a fine). In addition, an expert lawyer will be able to handle all aspects of the SAR process, including acknowledgement of receipt, advising on the search and any redaction and sending relevant letters and materials.

Can my business refuse to carry out a SAR if it believes the individual is considering a tribunal claim?

No, your company has no exemption simply due to that individual considering legal action. In fact, there would be a greater emphasis on your organisation complying with the SAR, and any attempt not to may be viewed as vindictive by the ICO or any future Employment Tribunal).  

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards