Running a Compliant Business

How to Handle a Subject Access Request

A step-by-step process for answering a request from someone who wants the personal data you hold about them.

Intermediate 13 min
This module is general information, not legal advice, and is being reviewed by our legal team. For your specific situation, consult the official Data Protection Act, 2020 or seek professional advice.

What you will learn

  • What a subject access request is
  • The steps to handle one properly
  • How to verify identity and meet the deadline
  • When an exception may apply

Overview

A subject access request, sometimes called a SAR or DSAR, is when someone asks to see the personal data your business holds about them. It is one of the most common rights people exercise, and a calm, repeatable process turns it into routine admin. This module walks through that process.

Why this matters

The right of access is set out in of the Act. Mishandling a request, or ignoring it, is one of the most common ways businesses end up in front of the Commissioner. A clear process protects you and respects the person asking.

What counts as a request

A request does not need special wording or a form. If a customer or employee asks, in writing, for the information you hold about them, treat it as an access request, even if they do not use the term.

Note. An email saying "please send me everything you have about me" is a valid access request. Do not dismiss it because it did not use a form.

The step-by-step process

  1. Log it. Record the date you received it. The clock starts once you have the request and any details or fee needed.
  2. Verify identity. Confirm the requester is who they say they are, so you do not disclose data to the wrong person.
  3. Clarify if needed. If you genuinely need more detail to find the data, ask, but do not use this to stall.
  4. Search your systems. Gather the personal data across email, files, databases, and paper records.
  5. Review for exceptions. Check whether any data must be withheld, for example data about other people.
  6. Respond on time. Provide the data in an intelligible form, with an explanation of anything withheld.
Watch out. Do not let a request sit in someone's inbox. Missing the deadline is the most common and most avoidable failure.

When an exception may apply

Some information may be exempt from disclosure, or may need careful handling where it also concerns another person. When an exception applies, you still respond, but you explain what you have withheld and why.

Legal note. The specific exceptions and the exact response timeframe are set out in the Act. Confirm them rather than guessing, especially for sensitive or third-party data.

Common mistakes

  • Insisting on a special form and rejecting plain requests.
  • Releasing data without verifying identity.
  • Treating the deadline as flexible.
  • Forgetting paper records and staff inboxes when searching.

Best practices

  • Give people a simple way to make a request, and log every one.
  • Keep an internal checklist for finding and reviewing data.
  • Track the deadline from day one and assign an owner.

Put this into practice

Record the request, track the deadline, and assemble your response in one place.

Log a request in the DSAR tool

Frequently asked questions

The right of access is exercised by a written request. Make it easy, and do not reject a genuine request over formatting.

Key takeaways

  • A subject access request is a person asking for the data you hold about them.
  • Verify identity, find the data, and respond within the Act's timeframe.
  • A request does not need to use any special words or form.
  • Some data may be exempt, but you must still respond and explain.

Related

Ask the Privacy Assistant

Beta