Running a Compliant Business
How to Handle a Subject Access Request
A step-by-step process for answering a request from someone who wants the personal data you hold about them.
What you will learn
- What a subject access request is
- The steps to handle one properly
- How to verify identity and meet the deadline
- When an exception may apply
Overview
A subject access request, sometimes called a SAR or DSAR, is when someone asks to see the personal data your business holds about them. It is one of the most common rights people exercise, and a calm, repeatable process turns it into routine admin. This module walks through that process.
Why this matters
The right of access is set out in of the Act. Mishandling a request, or ignoring it, is one of the most common ways businesses end up in front of the Commissioner. A clear process protects you and respects the person asking.
What counts as a request
A request does not need special wording or a form. If a customer or employee asks, in writing, for the information you hold about them, treat it as an access request, even if they do not use the term.
The step-by-step process
- Log it. Record the date you received it. The clock starts once you have the request and any details or fee needed.
- Verify identity. Confirm the requester is who they say they are, so you do not disclose data to the wrong person.
- Clarify if needed. If you genuinely need more detail to find the data, ask, but do not use this to stall.
- Search your systems. Gather the personal data across email, files, databases, and paper records.
- Review for exceptions. Check whether any data must be withheld, for example data about other people.
- Respond on time. Provide the data in an intelligible form, with an explanation of anything withheld.
When an exception may apply
Some information may be exempt from disclosure, or may need careful handling where it also concerns another person. When an exception applies, you still respond, but you explain what you have withheld and why.
Common mistakes
- Insisting on a special form and rejecting plain requests.
- Releasing data without verifying identity.
- Treating the deadline as flexible.
- Forgetting paper records and staff inboxes when searching.
Best practices
- Give people a simple way to make a request, and log every one.
- Keep an internal checklist for finding and reviewing data.
- Track the deadline from day one and assign an owner.
Put this into practice
Record the request, track the deadline, and assemble your response in one place.
Log a request in the DSAR toolFrequently asked questions
Key takeaways
- A subject access request is a person asking for the data you hold about them.
- Verify identity, find the data, and respond within the Act's timeframe.
- A request does not need to use any special words or form.
- Some data may be exempt, but you must still respond and explain.
