Subject Access Requests (SARs): A Practical Guide to Handling Them Efficiently
Data protection laws, including the UK GDPR and the Data Protection Act 2018, grant individuals the fundamental right to access the personal data an organisation holds about them. This is known as a Subject Access Request (SAR).
While SARs are a cornerstone of transparency and accountability, they can feel like a significant administrative burden. However, SAR compliance isn’t just a legal requirement – it’s also essential for maintaining trust and avoiding potentially costly enforcement action from the Information Commissioner’s Office (ICO).
To help streamline your process, we’re tackling the most common and pressing questions organisations face when managing Subject Access Requests, along with practical guidance to help you stay compliant and in control.
The Clock Is Ticking: How Long Do You Have to Respond?
This is perhaps the most critical question. Under UK GDPR rights, you generally have one calendar month to respond to a SAR.
The times you need to know to align with SAR compliance are below:
Key Timelines
| Scenario | Deadline | Important Notes |
|---|---|---|
Standard Request |
One calendar month from the date of receipt |
The clock starts the day the request is received. |
Complex or Numerous Requests |
One calendar month from the date of receipt, but can be extended by a further two months |
You must inform the individual of the extension and the reasons within the original one-month period. |
Verification of Identity |
Clock pauses until ID is received |
Crucially, you cannot use the ID request as a delay tactic. You must ask for it without delay. The request is paused from the date you request ID and doesn’t resume again until the ID is received. |
Clarification required |
Clock pauses until clarification is received |
You must request clarification promptly and only where genuinely necessary. Seeking clarification cannot be used as a means of gaining more time. |
Pausing the clock means that when you request clarification or ID from the individual, the one-month deadline is temporarily stopped and only starts once the necessary information is received. However, you must do this without delay, as any time taken before requesting it still counts towards the deadline, meaning you only have the remaining time left rather than the full month.
Remember, the ‘one month’ does not mean 30 days. If you receive a request on 15th March, the deadline is 15th April, regardless of the number of days in between.
Because months have different lengths, you need to also account for cases where the corresponding date doesn’t exist in the following month e.g., the request is made on 31st January the deadline will be 28th February (or 29th in a leap year).
Identifying the Requester: Should You Ask for ID?
You have a responsibility to ensure that personal data is being disclosed to the correct individual. Revealing information to somebody other than the individual in question could be a violation of GDPR’s individual rights.
You should ask for proof of ID:
- When you have reasonable doubts about the identity of the person making the request. This could mean that the request comes in from an unfamiliar email address, or a third party you don’t typically interact with.
- When the data requested is highly sensitive.
- When a third party is making the request on someone else’s behalf
If you’re confident about the requester’s identity, it’s not mandatory to ask for proof of ID as part of their Subject Access Request.
How to Verify Identity for an SAR
The need for ID verification should be determined by the Controller. The key is to use reasonable means. Do not ask for ID if you are certain of the requester’s identity. You must also be clear about how this verification data will be securely processed and deleted afterwards, in line with the requester’s rights.
You should also consider methods for verification. You can request formal ID or use alternatives such as matching information already held, account authentication, or contextual questions.
Ultimately, you need to satisfy yourself as the Controller that the individual making the request is actually who they say they are.
What do you have to search for?
Responding to a SAR isn’t always about extracting everything you’ve got, it’s more often than not about carrying out a targeted, reasonable and proportionate search for personal data relevant to the request.
Start by reviewing the request thoroughly and consider:
- What information is the requester asking for?
- Does the request provide timeframes, categories of data, or specific systems?
- Is there anything unclear, vague, or too broad that might need clarification from the requester?
The next step is about identifying the locations and systems where the relevant personal data is likely to be held. Think email accounts, instant messaging, shared drives, HR platforms, CRM systems.
Once you’ve done that, create and document your reasonable and proportionate search terms (including keywords for more specific requests). These might include the requester’s name, contact details, usernames, employee IDs or other unique identifiers. If the request is specific, you should also consider contextual keywords e.g., grievance, disciplinary to refine the results and exclude irrelevant data.
You should then run your searches and export the results for review. Most platforms should have a form of eDiscovery built in to enable a smoother extraction of data.
Carefully review the exported data to remove duplicates and exclude any information that is not relevant to the request, then convert the remaining files to a format that allows for redactions, such as PDF.
Your SAR search process should be well documented and defensible. The key is to understand the request, identify and search the correct systems, and refine the results to ensure that you are providing exactly what is required.
Third-Party Data: What Should You Redact?
Redaction is often the most time-consuming part of responding to a SAR. When providing an individual with their personal data, you must ensure you do not inadvertently disclose the personal data of other individuals unless:
- The third party has given explicit consent; or
- It is reasonable to disclose the information without their consent.
When assessing the reasonableness, the ICO suggests considering factors such as:
- The nature of the third-party data: Is it highly confidential or sensitive?
- Any duty of confidentiality owed to the third party: Is there a contractual or professional obligation (e.g., solicitor-client privilege)?
- The steps taken to seek consent: Have you tried to contact the third party?
- The views of the third party: If contacted, did they object to disclosure?
- The context of the request: the context of a request can help assess the potential risks.
In practice, SAR compliance means that it’s necessary to redact the personal data of other individuals to protect their rights. This means any information that can be used to directly, or indirectly, identify a natural (living) person.
If third-party information cannot realistically be separated and withholding it would render the response meaningless, disclosure may be justified, but you must document your reasoning carefully.
Are Subject Access Requests Free, or Can You Charge a Fee?
Most SARs must be handled free of charge. However, in limited circumstances, you may either charge a reasonable fee or refuse to act on the request. More information can be found here.
Top Tips for Efficient SAR Handling & Compliance
1. Establish a Clear SAR Policy and Procedure
Document how a SAR is identified, who is responsible for handling it, the steps for verifying ID and requesting clarification (if required), how the searches will be conducted, and the review/redaction process. Ensure everyone is trained to recognise that a SAR does not need to mention “Subject Access Request” explicitly to be valid. Everyone in the organisation should know how to identify a SAR, what methods can be used to make a request, and ultimately what to do if a request lands in their inbox.
2. Implement Effective Search and Data Mapping
Knowing where personal data is stored (emails, HR files, cloud storage, CRM systems, etc.) drastically cuts down search time. Review your Record of Processing Activities (RoPA) to assist in identifying the systems where the relevant personal data will be located. Utilise effective keyword and data range searches to significantly reduce time spent reviewing irrelevant material. Data mapping is not just a compliance exercise, but is a SAR efficiency tool.
3. Communicate Clearly
Clear communication is vital to handling requests and meeting SAR compliance. Acknowledge the request as promptly as possible. Communicate with the requester clearly, whether you are requesting proof of ID, clarification, or an extension, remembering to do so within the initial month time frame.
4. Document everything
Keep detailed records of all actions taken, searches conducted, decisions made (especially concerning redaction or refusal), and the final disclosure provided. This audit trail is invaluable if the request escalates to the ICO.
5. Redaction
Redaction is a crucial part of the SAR process. It ensures secure and appropriate removal of third party data, information provided in confidence, and any other information where appropriate exemption use may apply. While tools and automation exist and are often used, they should not be solely relied upon. Any use of these tools to conduct redaction should have expert human oversight to ensure accuracy, correct exemption usage and that only the requester’s personal data is disclosed.
6. Provided Data in an Accessible Format
The information must be provided in a concise, intelligible, and easily accessible form. Common formats such as PDFs are typically the most appropriate. It is important to avoid overwhelming individuals with disorganised or duplicative material.
Receive Reliable SAR Support from the Experts
Subject Access Requests are a legal right, while they can be resource-intensive, they are manageable with preparation and structure. Being proactive and having the right systems in place, SARs shift from being reactive disruptions to controlled, compliant processes.
We can provide support for Subject Access Requests, including redaction services and consultancy that will ensure you meet SAR compliance, no matter the scale or complexity of the request. To learn more, please speak to a member of our team so we can understand your requirements.
