Business How-to: Responding to a Subject Access Request (SAR)

For individuals, subject access requests (SARs) are incredibly easy to make. They can be made in any form, including electronically (social media requests count). They don’t have to include the words “subject access request” or reference the Data Protection Act or GDPR. They can be made to anyone in the organization they want a copy of their data from. And the response has to come within 30 days from the day the request is received. 


For businesses, SARs can eat up a massive amount of time and resources. Employees have to be trained on what a SAR is and what it could look like. They need to know how to recognize one and who to send it to in the organization if one comes to them. Businesses need to be prepared to find, sort, filter, and deliver the data they collect within a matter of weeks when they receive an SAR. 


Having a process for responding to an SAR in place can make everything easier, if not less time-consuming. Ensuring that employees have basic training on GDPR compliance requirements, including what an SAR is and how your organization handles them, can help keep your customers happy and your business running smoothly

How to Respond to a SAR

Once you have received and identified an SAR, there are six things you need to do to ensure that your response is GDPR compliant. 

Recognise the SAR.

The GDPR does not specify the ways in which someone can make a valid SAR. This means that any request by an individual for the data you collect about them should be treated as an official SAR that is covered by the GDPR. These requests can be made to any person in your organization and can be in any form. This means that everyone in your organization needs to know what an SAR is and why it is important to route them to the appropriate person ASAP. 


As soon as you identify a request for an individual’s data, it’s imperative that you stop all data deletion efforts in regards to that individual, even if they are routine. Additionally, it is also now considered a criminal offense to destroy data that would fall under an SAR in order to frustrate the fulfillment of the request.

Confirm the identity of the requestor.

If you are unsure of the identity of the person requesting their information, you may request proof of their identity, within reason. Reasonable requests for proof of identity include things like copies of a picture ID or a recent utility bill. However, you may only request proof of identification from unknown individuals. If the request is coming from an employee, you may not require proof of identification from them before fulfilling their request. 


Individuals can enlist the support of a third-party to make the request on their behalf. For example, someone may work with a solicitor to get a copy of their data. If a third-party reaches out to make a request on behalf of an individual, you need to get proof that the individual in question has indeed authorized the third-party to request their information, correspond with you, and receive their data.   

Clarify the scope of the request.

Sometimes, an SAR will be made that is overly broad or vague. In those cases, it is strongly encouraged that you reach out to the individual that made the request in order to clarify the data they are seeking. They do not have to tell you why they want the data or what they want to do with it but they may be able to narrow the parameters of their initial request. This outreach allows you to do multiple things. You are able to discover if they would also like their communications with your organization disclosed. It also demonstrates that you have received their request, are taking it seriously, and are working on it expeditiously. 

Identify the data to be disclosed.

Once you’ve verified the identity of the requestor and, if necessary, verified they have permission to request the items covered by an SAR, it’s time to gather the data necessary to satisfy the request. Under the GDPR, the information that needs to be disclosed also includes information on how their data is being used. To properly respond to an SAR, you need to disclose:


  • Copies of all statements held under their account number
  • What you’re using their data for
  • Who you are sharing their data with
  • Where their data comes from
  • Information on their rights to challenge the accuracy of data, have it deleted, or object to its use


Much of the information required in the disclosure that pertains to the who, what, how, and why of your data collection should already be in the privacy policy that users agree to and can be copied over into the disclosure verbatim.


As for what counts as personal data, the definition in the GDPR is very broad. According to the GDPR, personal data is considered any data on an individual that can be identified from that data or in combination with other information in an organization’s possession. Whether the person is referred to by name does not matter as long as they can be identified by something, including their initials or a personal ID number. This also includes any recorded opinion of the individual.

Identify any personal data exemptions.

There are important exemptions to the rules regarding what needs to be disclosed. While there are no easy “rules of thumb” to follow when deciding if these exemptions apply, there are some hard and fast examples of what kinds of data should not be disclosed:


  • Data should not be disclosed if it would prejudice defined public functions.
  • Data should not be disclosed if it is subject to legal communications.
  • Data should not be disclosed if it would adversely affect the rights of other people.


When reviewing the data to be disclosed, the best course of action is to give each piece of data careful consideration to see if it would be covered by one of the exemptions listed in the GDPR and Data Protection Act of 2018.

Disclose the data in a secure fashion.

When you receive an SAR electronically, most of the time an electronic response should suffice. However, it’s always a good idea to ask the recipient if there is another form of disclosure that they would prefer. When there is sensitive or secure data that is included in the disclosure, do your best to ensure that it is sent in a secure manner.

Keep a record of each SAR request and decision.

If the recipient is not satisfied with the disclosure, they may request a review of the disclosure process through the Information Commissioner’s Office (ICO). In cases such as this, it’s always good to have a record of all the decisions made in regard to the disclosure. This includes decisions made about personal data exemptions, where you collected the data from, communications with the recipient and any third parties, and other relevant decisions. 


Compliance with the GDPR is no small undertaking. It requires many man-hours and a thorough understanding of your responsibilities under the GDPR. iCaas can help. Our software can help you discover if your business is GDPR compliant in as little as 48 hours.

We manage every part of data protection compliance for you, from generating key documentation and policies to manage data breaches and SARs. Don’t let a SAR sneak up on you. Get ahead of the curve and contact iCaas today.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top