Blog
Subject Access Requests under the GDPR: What employers need to know
Maeve Keenan
Subject access requests are quick and easy for an individual to make. But for any organisation receiving an SAR, many long hours and significant resources will be needed in order to properly respond. As with any difficult task, procrastination does not make responding any easier. Any individual dissatisfied with the speed or content of an organisation’s response will also find it quick and easy to complain to your organisation or the ICO. This SAR guide is intended to make responding to SARs as straightforward as possible.
1. Recognise the subject access request
A SAR is any request by an individual for their own personal data. Although it must be in writing, it can be sent to anyone in your organisation, by any means and in any form. It does not need to mention the GDPR or Data Protection Act 2018. It does not matter that the request incorrectly refers to the Freedom of Information Act 2000.
A SAR does not simply entitle an individual to a copy of their own personal data. They are also entitled to receive a number of other pieces of information about how their personal data is being processed (Article 15 GDPR) including the purpose of processing the data, the source of the data and who the data has or will be shared with.
As soon as a request is identified, ensure that any routine data deletion or destruction processes are suspended with respect to the personal data of that individual. In addition, it is now a criminal offence to delete, destroy, alter or conceal personal data to frustrate a SAR (Section 173 DPA 2018).
2. Identify the individual making the subject access request
Before communicating with the individual, satisfy yourself with respect to their identity. The measures you take depend on what is reasonable in the circumstances. It may be reasonable to seek proof of identity (usually recent photographic ID and utility bill) from an unknown client but not an employee with who you are in day to day contact.
A request may be made on behalf of an individual by a representative, for example, a solicitor. Seek reassurance that the individual has authorised the representative to make the request, correspond with you and receive the response on their behalf. Requests made on behalf of children need to be carefully considered with reference to the ICO’s guidance.
3. Act swiftly and clarify the subject access request
You have one month to respond from the receipt of the SAR. It is possible to extend this period by a further two months in complex cases, although the individual should be informed as soon as this becomes apparent.
Where the SAR is broad or unclear, the ICO strongly encourages organisations to contact the individual to clarify the personal data which they wish to receive. Although the individual is under no obligation to explain why they want the personal data or what they intend to do with it, they may be able to narrow the parameters of their request. This could include refining the data range or categories of information sought. It is useful to confirm at this stage whether the individual wants their own communications to / from the organisation to be disclosed.
Opening up a line of communication with the individual provides immediate reassurance that an organisation is taking its responsibilities seriously.
4. identify personal data to be disclosed
Organisations are expected to be able to conduct reasonable and proportionate searches of its hard copy or electronic filing systems in order to identify the personal data belonging to the individual. This may include client / employee files, Outlook accounts and data held by data processors. All forms of information may fall to be disclosed, including audio recordings or CCTV footage. Data which has effectively been put beyond use may be excluded.
What is personal data?
Personal data is broadly defined as any information relating to an individual who can be identified from that information (or in combination with other information in an organisation's possession). It does not matter that information does not refer to an individual by name, so long as they can be identified by other means, for example, their initials or ID number. Personal data may be known to the individual or within the public domain. Importantly, personal data includes any recorded opinion of that individual.
The obligation upon the organisation is to disclose the information from the original document or record, but not necessarily the document or record itself. In many cases, providing the original document or record may be appropriate. In other cases, especially where there is a significant amount of mixed data (see below), it may be more appropriate to provide extracts of the personal data, so long as it is in an intelligible form.
5. Identify personal data exemptions
There are a series of good reasons why personal data should not be disclosed, reflected within the range of exemptions to disclosure within Article 15 GDPR and schedules 2 – 4 of the Data Protection Act 2018, for example, where disclosure would prejudice defined public functions or communications are subject legal professional privilege.
You are not required, and should not, disclose an individual’s personal data if this would adversely affect the rights of other individuals. This issue frequently arises with respect to mixed data such as email communications and meeting notes which are the personal data of the individual, as well as the others in the email chain or at the meeting. In determining whether to disclose this mixed data, consideration must be given to whether the third parties have consented to its disclosure or whether it is otherwise reasonable to disclose it. There are no easy rules of thumb to follow. Rather, careful consideration needs to be given to the specific content and context of this material.
6. Securely disclose the personal data
If a subject access request has been made electronically, the default expectation is that an organisation will provide the response electronically. However, it is good practice to check with the individual first. Especially where sensitive or special category data is being disclosed, ensure that this is disclosed in the most secure means possible.
7. Keep a record of review and decisions made
You should keep an audit trail of the request, including the sources of information which was collated, the review undertaken, key decisions made concerning whether information amounted to personal data and whether exemptions applied, the response provided and disclosure made, as well as all communications with the individual and other third parties. This will be essential if the individual seeks an internal review of the response or complains to the ICO.
Further information
A review of ICO’s annual reports shows a steadily increasing number of complaints received in relation to subject access: 6,550 in 2014/2015, 6,883 in 2015/2016 , 7,709 in 2016/2017 and 8,197 in 2017/2018.
Please see our related blog ‘Subject Access Requests under the GDPR: What employers need to know’. Should you have any queries relating to your organisation’s compliance with a subject access request, please contact Emily Carter or contact a member of our data protection team.
This blog should be used for information purposes only. The information provided in this blog is based on current legislation and recent developments and should not be relied on as an exhaustive explanation of the law or the issues involved without seeking legal advice.
Latest blogs and news
Court of Appeal clarifies data protection claims for non-material damage: A win for claimants - But what are the implications for controllers and processors?
The Court of Appeal has recently handed down an important decision in respect of data protection law considerations in Farley & Others v Paymaster (trading as Equiniti) [2025] EWCA Civ 1117, providing clarity on the scope of infringement and compensation data protection claims under the UK GDPR and Data Protection Act 2018 (“DPA”). The judgment will be of particular interest to any service provider dealing with and processing large volumes of customer personal data.
Top five takeaways from the Data (Use and Access) Act 2025
The Data (Use and Access) Act 2025 (the “DUAA”), which received Royal Assent on 19 June 2025, introduces targeted reforms to the UK data protection legal framework — particularly the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (“PECR”).
Requesting Medical Records after a death
Losing a loved one when you think it may be because they received poor medical care is incredibly stressful at a time when family and friends are grieving their loss. Often, people want to see a written record of the final days of their loved one and what happened to them, or they might want to go through years of records to ascertain whether there was diagnosis that may have been missed, such as cancer.
Are personal details in asylum claims kept confidential? Protecting the privacy of asylum seekers and safeguarding confidentiality
Asylum seekers often find themselves in a vulnerable position, sharing sensitive and confidential information with the Home Office to support their asylum claims. Their cooperation is required to substantiate their claim and they rely on the understanding that this information will remain confidential and, most crucially, will not be shared with the authorities of their country of nationality.
The evolving challenge of data protection laws
Emily Carter explores anticipated developments in the realm of data protection.
The UK-US Data Bridge: A Shift in Transatlantic Data Sharing
On 12 October 2023, the UK-US Data Bridge (the “Data Bridge”) came into force, transforming the way both nations handle the flow of information across their borders. In this blog we explore the position before and after the introduction of the Data Bridge, looking at the key implications, benefits and challenges associated with the transatlantic data-sharing initiative.
Data Subject Access Requests: Should organisations expect the burden of responding to ease?
Emily Carter asks whether the proposed reforms within the Data Protection and Digital Information (No. 2) Bill (‘the Bill’) are likely to simplify the challenges of responding to Data Subject Access Requests (‘DSARs’) or whether this is an area which is only going to get more complicated and time consuming.
UK data protection reform: Some much needed clarity
After many months waiting for further clarity, Emily Carter outlines what we now know about the direction of data protection reform in the UK following publication of the Data Protection and Digital Information (no. 2) Bill.
After the Government’s consultation in September 2021 and publication of the Data Protection and Digital Information Bill in July 2022, the data reform process was paused last Autumn following the country’s change in prime minister to enable ministers to consider the legislation further. Since this time, with Michele Donelan appointed as the responsible secretary of state, there have been mixed messages with respect to how significant the further amendment to the draft bill would be. In her speech at the Conservative party conference in October, Donelan stated that the GDPR would be ‘replaced’ with a business and consumer friend data protection system, raising the prospect of an entirely new approach to data protection.
ICO regulatory update: The only constant is change Spring 2023
The Information Commissioner’s Office (ICO) regulates every organisation which deals with personal data and official data in the UK (and sometimes overseas). Its remit extends across the public and private sector, including multinationals, SMEs, public authorities and charities.
A new police approach is needed to tackle overwhelming delays to digital forensics
A damning report published by His Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS) has found police forces to be “overwhelmed and ineffective” in relation to digital forensics. The HMICFRS found that there were more than 25,000 devices waiting to be examined – and this is without taking into account all the devices already in the system.
Data Protection reform: A new direction for charities?
Following the UK’s departure from the EU, the Government wishes to reform the data protection legislation within this country in order to ‘unlock the power of data.’ For charities, does this mean the painful prospect of reworking their existing GDPR compliance regime or the promise of a lighter regulatory load?
Data: A New Direction - Research, Re-use and Responsibility
High on the Government’s wish list for data protection reform is the reduction of legislative barriers to ‘responsible innovation,’ particularly within the field of scientific research. Due to perceived complexity and lack of clarity, it is feared that organisations either choose not to conduct research at all or rely on unnecessarily burdensome consent processes. This blog considers the likely impact of the Government’s ideas
Consultation on ICO Powers Shows the Breadth of the Regulator’s Powers
On 20 December 2021 the ICO launched a consultation seeking views on three documents, which together demonstrate its wide-ranging powers to undertake investigatory, regulatory and enforcement action.
Data: A new direction - Access to personal data
In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way
Data: A New Direction - Unleashing the transformational power AI?
In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way.
Data protection law reform: A new direction?
In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way.
We begin with the Government’s proposals for creating a ‘whitelist’ of legitimate interests which always provide a lawful basis for processing under the UK GDPR.
The UK’s Data Protection Reform Consultation – Good News for Employers?
On 10 September 2021 the UK Government launched a Consultation on proposed changes to data protection law with the aim to “create a more pro-growth and pro-innovation data regime, whilst maintaining the UK’s world-leading data protection standards”. The proposals are designed to build on the UK’s existing data protection regime (contained in the General Data Protection Regulation (as it applies in the UK post-Brexit) (UK GDPR) and the Data Protection Act 2018).
What is Next for GDPR in the UK, is Change on the Horizon?
The General Data Protection Regulation (known to everyone as the GDPR) is probably the most famous piece of legislation to come from the EU. It was and is incredibly ambitious in its scope, and shapes the way we engage with organisations both online and in the real world. When the UK formally withdrew from the EU, GDPR became retained EU law and continued to apply as before. The government have recently announced that they want to reform data protection legislation, but substantial deregulation might be an unrealistic ambition.
ICO enforcement action – key considerations for charities in the GDPR era
It is now more than two years since the Data Protection Act 2018 and GDPR came into force, significantly increasing the enforcement powers of the Information Commissioner’s Office (ICO). With the passing of the Act, the ICO gained the power to issue fines amounting to millions of pounds and increased powers to bring criminal prosecutions against organisations who fail to comply with the data protection regime.
COVID-19 and contact tracing apps: A test of public confidence in data privacy?
Dominic Raab announced last week that the current UK lockdown would last for at least another three weeks. These restrictions are unlikely to be relaxed until a large scale plan is in place to track and restrict the spread of the virus. Part of this plan will involve the use of the NHS “contact tracing” app, which we have been told is in an advanced stage of development.
You may also be interested in:
We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.
Share insightLinkedIn X Facebook Email to a friend Print