Skip to content

Four Tips to Safely Handle Subject Access Requests in England

Table of Contents

Your business will likely handle a significant amount of data relating to employees, customers and suppliers. Therefore, you must comply with data protection requirements to avoid fines. The General Data Protection Regulation (GDPR) contains many data protection rules, including the right for an individual to file a Subject Access Request (SAR). These are also known as data subject access requests or DSARs. This article will explain the nature of a SAR and provide four tips for your business on safely handling them.

What is a Subject Access Request?

SARs came into existence prior to the GDPR. However, the GDPR reduces the time your company has to address the SAR. Under a SAR, all individuals who have data relating to them within your organisation have the right to:

  • to be informed of the specific data you hold about them; 
  • receive a copy of this data; and 
  • be told who else has access to that information.

Your organisation has one calendar month to respond to the SAR. Usually, you must do so in writing.

Under old data protection laws, your company was able to charge a small fee for performing this task. However, under the new rules, your business cannot usually request payment. Although, there is an exemption where the SAR is ‘excessive’ or the individual seeks multiple copies. Here, you may charge a reasonable fee.  

Let us explore four tips to help your company safely handle SARs.

1. Acknowledge Receipt

It is good practice to respond to the sender of the SAR and confirm a receipt of their request. This also enables your company note the deadline to respond (one calendar month from the date of receipt).

So, if you receive a SAR from an employee by email on 2nd May, your first step would be to acknowledge it by return email. Additionally, you might note that 2nd June is the final day to provide them with the necessary materials.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

2. Ask for Further Information

Make sure you know exactly what the individual wants to receive. For example, while they may ask for all information about themselves, they may only be interested in information on a particular subject or relating to a certain matter. If you have a significant amount of information about an individual, it is good practice to ask for further information to narrow your scope of search.

For example, suppose an individual asks for all information about them. Yet, upon being asked for the particular materials sought, they are only requesting emails between themselves and an individual they are in dispute with. In that case, you can potentially limit your search to those emails alone. This prevents your organisation from organising and sending every mention of the individual on your system.

You can ‘pause’ the one-month deadline while waiting for the individual to provide further information. So, if you wait three days for a response, your deadline to fully handle the SAR becomes one month and three days.

3. Search and Redact Information

Once you know what the individual is seeking, you can search your relevant systems. Depending on the nature of the SAR, this may involve checking:

  • your IT system;
  • your email server;
  • personnel files; 
  • written materials (for example, within filing cabinets); or
  • digital messages and files on work devices.

Sometimes a document may mention the requester alongside other individuals. In that case, you should redact the names and information belonging to others. Redacting information involves placing a large black bar over other individuals’ data, so someone else cannot read it, thus protecting their confidentiality. Some business owners seek legal advice on when they can and cannot redact confidential information.

4. Respond in One Month

Usually, your business will have one calendar month to respond to a SAR. This is subject to being able to ‘pause’ the clock whilst awaiting additional information, as mentioned above. However, your organisation may also extend the one calendar month deadline in the following situations:

  • a complex SAR; or
  • receiving several GDPR related requests from the same individual simultaneously (such as an employee who requests two SARs and makes an application for erasure).

Many business owners wish to explore the tactic of labelling a SAR as ‘complex’ and buying more time. In reality, this is a limited exemption for exceptionally complicated SAR requests. Simply stating the SAR is complex without good reason is a breach of data protection rules and exposes your company to ICO fines.

An Example

Let us say you receive a written SAR from an employee on 5th July. In this case, the employee is asking for all personal information held about them. Your company should acknowledge receipt and then ask for further information as to the reason for the request and what particular documents they are looking for.

Five days later, the employee returns to explain that they are looking for payment and pension information to help them with an ongoing dispute with their pension provider. The five days waiting for a response means that your organisation now has one month and five days to respond, extending the deadline to 10th August. 

Now that you know they are looking for documents to support a pension dispute, you can confirm with the individual that you intend to provide them with documents for this purpose. This means your company can limit its search to payment, invoice and pension information. Meanwhile, you may exclude other emails, telephone call recordings and other materials relating to their actual work.

Your organisation may likely provide them with a copy of their:

  • employment contract;
  • any pension policies or pension information leaflets; and
  • all emails on the work system between the employee and pension provider.

Key Takeaways

Your business must safely handle an SAR to avoid breaching data protection law. This will also prevent your business from receiving a non-compliance fine from the Information Commissioner’s Office (ICO). Some business owners obtain legal assistance to ensure they fully comply with data protection rules. Although, this depends on the complexity of the SAR request. Additionally, you may require assistance if the individual has lodged it to assist in an active legal claim against the organisation.

If you need help to handle an SAR you have received, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Can my company refuse if an employee is only using a SAR to help a Tribunal action?

No. The SAR’s purpose is irrelevant, and your company must carry it out whether its relationship with the requester is positive or negative.

Can my business charge any form of fee for carrying out a SAR?

It can only do so in limited circumstances. Fees are limited to requests which are ‘excessive’ (for example, insisting on wanting 40 years’ worth of records when only in dispute with you over the last 6 months) or where the individual requests multiple copies.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards