Skip to content
LegalVision UK

Complying With Subject Access Request Timescales: Legal Requirements for Employers

Avatar photo

By Sej Lamba
Expert Legal Contributor and Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

In Short

  • Respond to Subject Access Requests (SARs) promptly, within one month, to avoid penalties under UK data protection law.
  • If the SAR is complex or unclear, you may extend the response time but must notify the requester within the original month.
  • Implement a DSAR policy and train staff to ensure compliance and consistency in handling SARs.

Tips for Businesses

Create a clear SAR policy to streamline responses and ensure compliance with the UK GDPR. Assign responsibilities, train staff, and keep detailed records of all SARs. Be mindful of extension rules and seek legal advice for complex requests to minimise risks of non-compliance.

Subject Access Requests (SARs) are likely the most commonly known data subject right under UK data protection law. These requests can be especially common for employers, particularly when a disgruntled employee submits a SAR during grievance or disciplinary proceedings. Your business should understand that responding to SARs on time is critical, as failing to meet deadlines can result in penalties under UK data protection law. Your business should ensure it handles SARs with careful planning and clear internal procedures to meet its legal obligations and maintain employee trust. The UK ICO has issued specific guidance for employers regarding SARs. This article explores key considerations for employers regarding SARs, their timescales and practical advice on navigating these time limits. 

When May an Employer Face a SAR?

Employers typically handle a lot of employee personal information. As such, they can often receive SARs in various scenarios, particularly during disputes with employees, such as disciplinary actions, grievance proceedings, or employment tribunal claims. A disgruntled employee may use a SAR to try to gather evidence or review the handling of their personal data. 

Your business should treat a SAR with urgency and care, as delays or incomplete responses could escalate tensions and increase the risk of problems arising from employees.

What Does the Law Say About SARs?

Data protection law rules govern how employers may process personal data and set clear rules for handling SARs. SARs allow individuals to access a copy of their personal data and request information on how and why it is being processed (e.g. information regarding processing purposes, data recipients, retention periods, alongside other key information). 

As an employer, you are likely to hold various types of employee data, such as HR records, disciplinary notes, or performance appraisals. Your business should, therefore, ensure it understands its obligations clearly to avoid costly mistakes. Failing to respond accurately or on time risks regulatory penalties and can damage employee trust.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

How Strict Are the Timelines for Responding?

SAR deadlines are strict, so your business must act promptly to meet them. 

Put simply, the standard response time is without undue delay and, at the latest, one month from when your business receives the request (or identity verification or fee, if applicable). 

If the SAR is complex, your business should notify the requester within the original one-month period to clarify it and explain the reasons for the delay. Extensions in time are allowed for up to two additional months, but only in genuinely complex cases. If a SAR is unclear or too broad, your business should ask for clarification. In such cases, the clock pauses until clarification is received. However, your business should only request clarification when it genuinely processes large volumes of data about the individual and needs the clarification to process the request. This is not simply an excuse to delay responding to the SAR because you think it will be onerous to do so. 

These are some high-level examples of guidance around extending timeframes. Still, employers should consult the ICO’s guidance to understand the full scope of these rules and determine if they apply to a specific SAR request. There are also rules concerning notifying the relevant data subject if any time extensions. 

Should Employers Have a DSAR Policy?

In practice, navigating a SAR and its timeframes can be challenging. 

Your business should implement a clear and practical SAR policy to help you handle SARs efficiently and consistently. This policy is particularly important for helping you understand when you need to respond and when you can extend a response deadline following legal rules. 

A well-drafted DSAR policy will help by providing a key framework and guidance for logging SAR requests. It will also ensure that you take other appropriate steps, such as verifying identities, clarifying unclear submissions, and securely delivering the relevant data. 

Your business should train staff to follow the policy to help ensure compliance with UK GDPR requirements and reduce the risk of errors.

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

What Other Steps Should Employers Take to Prepare for SARs?

Preparation is critical to managing SARs effectively. Your business should, therefore, consider creating a straightforward internal process, assigning responsibilities to team members, and documenting every step of the response. 

Your business should keep detailed records of all SARs, including when they were received, the actions taken, and how data was delivered.

For complex SARs (such as those involving third-party data or where an exemption may apply, which means you may not be able to provide the data), your business should seek legal advice to manage risks appropriately. By planning ahead and seeking legal advice, your business can handle SARs efficiently and avoid non-compliance risks.

Key Takeaways 

Given the high volumes of personal information an employer processes, they may receive SAR requests from employees. Employers should act quickly to respond to SARs within one month unless a legitimate extension of time is necessary and the employer notifies data subjects of the reasons for the delay in accordance with data protection law rules. Implementing a practical DSAR policy, training staff to handle requests confidently, and keeping detailed records and logging dates can help employers comply with their DSAR obligations. 

If you need help handling employee SARs, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

What Is the UK GDPR?

The UK GDPR regulates how businesses can collect, store, and use personal data. It also gives individuals the right to access, correct, or delete their data.

What Is a SAR?

A Subject Access Request (SAR) lets someone ask you for a copy of your personal data about them. Employees may use SARs to check how you handle their information or to gather evidence during disputes.

Register for our free webinars

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Sej is an Expert Legal Contributor at LegalVision. She is an experienced legal content writer who enjoys writing legal guides, blogs, and know-how tools for businesses. She studied History at University College London and then developed a passion for law, which inspired her to become a qualified lawyer.

Qualifications: Legal Practice Course, Kaplan Law School; Graduate Diploma in Law, Kaplan Law School; BA, History, University College.

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

3 Documents Your Company Needs to Demonstrate GDPR Compliance

4 Common Challenges Your Company Will Face With the GDPR in the UK

Am I a Data Controller or Data Processor Under the UK GDPR?

Are CCTV Systems Safe for My UK Business to Use Under the GDPR?

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards