What is a Data Subject Access Request?

Posted on by Catherine Roberts
GDPR Data Set of 4
24
Jan

A data subject access request (SAR) is a request made by an individual to any business or entity holding their personal data. It is one of the mandatory processes that falls under the right to access clause in the UK General Data Protection Regulation (GDPR) and Data Protection Act (DPA18). This article will help you to understand what a subject access request is and how to repsond to one.

The Right to Access

Square Secure Server ClipartThe right of access forms part of the UK GDPR and gives individuals the right to know what information is being held about them. It is also referred to as subject access and enables a person to obtain copies of their personal information.

It is one of the fundamental rights under UK data protection law and requires those processing personal data to have compliant policies and procedures in place for processing data subject access requests lawfully. In addition to knowing what information is held about them, an individual also has the right to access this information and exercise other rights.

Additional rights supplementing the right to access include the right to rectification of inaccurate data and the right to withdraw consent. The basis of the right to access is to ensure a standardised regulatory framework so that personal information is obtained, processed and disposed of securely, adequately and compliantly.

How to Make a Subject Access Request

You should aim to have both a subject access request policy and procedures. These should be 2 separate documents in your data protection policy framework. Firstly, the SAR policy documents information for the company and employees. It states how you process access requests and what your internal guidelines and obligations are.

Secondly, the SAR procedures are for individuals to access in writing, via your website or through email links. This document provides guidance on how to make a subject access request and provides information about timeframes, fees and outcomes.

Word data written inside a magnifying glassIndividuals should be told that they can make an access request at any time. This can be in writing, verbally, online or by any other methods you offer. You must ensure easy access to the SAR procedures and make requesting access to personal information simple and straightforward.

If a request is received by electronic means, you should aim to provide the information in a commonly used electronic form (unless otherwise requested). Make the procedures, requests, medium, formats and responses as clear, legible and easy to read and access as possible.

A professional, compliant subject access request framework is an essential part of your GDPR compliance policy program. Alongside essential templates such as a privacy policy and GDPR data protection policy, the SAR suite is mandatory and essential.

What to Provide in a Subject Access Request

  • The purpose(s) of the processing.
  • The categories of personal data concerned.
  • The recipients or categories of recipient to whom the personal data have been or will be disclosed.
  • If the data has or will be disclosed to a third countries or international organisations and the appropriate safeguards pursuant to the transfer.
  • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
  • The existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing.
  • The right to lodge a complaint with the Commissioner.
  • Where personal data has not been collected by your company, any available information as to the source and provider.
  • The existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

SAR Fees and Timeframes

The standard time period for dealing with any subject access request is usually one month. This is from receipt of the request or from when any additional information has been  received. It is often necessary to confirm the identity of the data subject after they submit a DSAR. This can delay the applicable ‘one-month’ time frame. For this reason, the ICO note senarios and instances when the time period can be put on hold or extended.

Keyboard keys in red and green with solution and problem written on themYour should aim to complete all access requests before the end of the applicable time period and provide the information free of charge. Where the request is made by electronic means, you should provide the information in a commonly used electronic format if possible. However, if the data subject specifically requests an alternative format, you should try and comply with this request.

Requests from a data subject that are manifestly unfounded or excessive, including duplicate requests for documents, information or communication, may incur a charge to cover administrative costs. You should ensure that information about any such fees or charges are provided in writing along with your standard SAR response.

Subject Access Request (SAR) Statistics

How many SARs are received by a company each year is like asking how long a piece of string is! Obviously, the business size, scope and industry all affect access requests. There is then the consideration of splitting such requests into employees (past and present) and the general public. The larger a company’s customer base, the more SARs they are likely to receive each year.

Below are examples of annual SARs from different UK entities. Many businesses publish such data or release it after receiveing an freedom of information request. This data includes public and employee requests and links have been added to the published data.

The Crown Prosecution Service received 575 access requests in 2024, which was a slight increase on previous years.

The Metropolitan Police received 21,101 SARs in 2024, which was a slight increase on the previous year.

Doncaster and Bassetlaw Teaching Hospitals NHS Foundation Trust received 3,809 access requests in 2024.

Conclusion

Having a compliant subject access request policy and procedure is compulsory if you are processing personal information. In addition, the key factor is to make sure access to personal data is easy and obstacle free. Individuals should be able to easily request information from your company about their personal data. This includes details of what you hold and how it is processed. Use SAR response templates to ensure consistency and compliance in your communication.

Other GDPR policies and templates to consider…

Privacy Policy Template
Quick View

Privacy Policy Template

£10.00 (ex vat)
Add to basket
Digital Personal Data Poster
Quick View

Digital GDPR Personal Data Poster Set

£8.00 (ex vat)
Add to basket
GDPR Consent Office Poster
Quick View

Digital GDPR Consent Poster Set

£8.00 (ex vat)
Add to basket
Digital GDPR Principles Office Poster
Quick View

Digital GDPR Principles Poster Set

£8.00 (ex vat)
Add to basket
Digital Information Security Office Poster
Quick View

Digital Information Security Poster Set

£8.00 (ex vat)
Add to basket
International Transfer Policy Template
Quick View

International Transfer Policy Template

£15.00 (ex vat)
Add to basket
Legitimate Interests Assessment Template
Quick View

Legitimate Interests Assessment Template

£15.00 (ex vat)
Add to basket
DPO Responsibilities Template
Quick View

DPO Responsibilities Template

£8.00 (ex vat)
Add to basket
Catherine Roberts

Catherine Roberts is the founder and Director at Know Your Compliance Limited. She has worked in regulatory compliance and policy development for over 20 years, with first-hand experience in the financial services and consumer credit markets. Catherine is passionate about making compliance easier for businesses, developing templates and tools to simplify the process. When not tied to her computer writing policies, she enjoys reading, writing and graphic design.