Best practice for dealing with Subject Access Requests

By Amanda Heath, below, and Amanda Mallender, right, lawyers at The Legal Director

Under the UK GDPR and Data Protection Act 2018, anybody has the right to make a Subject Access Request (SAR). And, as recession looms and more people are likely to be made redundant, it’s expected that more SARs will be submitted by soon-to-be or already ex-employees, to support potential claims of unfair dismissal.

Digging out ALL the personal data you hold on someone can be a painful, time-consuming process. But this is not something you can ignore. The Information Commissioner’s Office (ICO), the UK’s data protection supervisory authority, can and does issue enforcement notices to businesses that fail to respond appropriately. And it is also worth pointing out that intentionally altering or deleting personal data with a view to preventing disclosure is a criminal offence.

So, if you receive a SAR, you must respond. But don’t despair, there are things you can do to minimise the challenges of these requests.

Manage your data and control your communication channels

Good data protection management involves knowing what data you hold, about who and where it is located. Getting to grips with this information is key to smoothing the SAR process.

A SAR requires you to search all places where you might hold personal data about the requester. This may include channels such as WhatsApp messages or texts, where less formal communication is more common. A casual comment to a colleague may, at best, be highly embarrassing to disclose. In the worst case, it may expose your business to the risk of legal proceedings. Make sure your employees are trained on data protection issues and be clear about how the communication channels in your business are used.

Don’t hang on to data longer than you need to.

Data protection legislation states that you should only retain data for so long as is “necessary” to meet the purpose for which you collected it. So, you should be routinely deleting information you no longer need. Many apps, such as Slack and DocuSign allow you to automatically delete data after a set period and this is a useful way of minimising the amount of data you keep.

Learn to spot a SAR

Too often, businesses miss these requests because they have been delivered in an unexpected or unfamiliar way. The request does not need to use the term Subject Access Request, or the acronym SAR and it does not have to be formally delivered. If anybody asks for a copy of the information that you hold on them, be it verbally or in writing, this constitutes a SAR. It is important to be alert for these requests and to train your staff to look out for them.

Respond quickly

As soon as you receive the request, the clock starts ticking, even if it’s the Friday afternoon of a Bank Holiday weekend. As you only have 30 days to respond, it’s important that you act immediately.


Whatever your set-up, it is important that everybody within the business is aware where they should send SARs to ensure they are handled speedily and effectively. So, spend some time considering what types of requests you may receive and who is best placed to respond to them.

Don’t be afraid to ask for clarification

If fulfilling the SAR is going to generate an overwhelming amount of information, it may be worth trying to clarify or narrow the request. Consider asking the requester whether the information they wish to receive might be limited to exchanges between named individuals, a specified timeframe or certain key words. The individual making the request does not have to agree to this, but they often will.

And don’t forget that searches in response to a SAR may not always yield results. If you aren’t finding the information you’ve been asked for, it may be that you’ve already deleted it and no longer hold any information on this person. A timely question about the type of request may save you a lot of time and effort.

Keep your policies and processes up to date

To respond effectively to SARs, you need to understand the data you’re holding and how you’re looking after and handling it. So, update your policies and procedures relating to data management and issues such as SARs and data deletion.

Most companies will need to respond to SARs at some stage. And with templates readily available and companies who will send out these requests on behalf of individuals, it is easier than ever to ask for personal data. Following the steps above will put you in a stronger position to respond.