An email arrives. A former employee — or a customer, or a job applicant — is asking for all the personal data your business holds on them.

This is a Subject Access Request (SAR), and under UK GDPR, you are legally required to respond. Free of charge. Within 30 days.

If you've never dealt with one before, that timeline can feel very short. This guide walks you through the full process — what a SAR is, what the law requires, and exactly how to handle it, step by step.

What is a Subject Access Request?

A Subject Access Request is a formal request made under Article 15 of UK GDPR. It gives any individual (called a "data subject") the right to obtain a copy of the personal data your organisation holds on them, along with supplementary information about how and why you're processing it.

Anyone whose data you process can submit a SAR: employees, former employees, customers, website visitors, job applicants, contractors. There is no required format — a SAR can arrive by email, letter, or even a verbal request. You cannot insist on a specific form.

What information must you provide?

Your SAR response must include:

This is more than just forwarding documents. It requires a considered, structured response.

The 30-day clock — and when it starts

The clock starts on the day you receive the request, not the day you acknowledge it or begin processing it.

You have one calendar month from that date to respond. In practice:

You can extend by a further two months in cases of complexity or where you've received multiple requests simultaneously — but you must notify the individual within the original one-month window and explain the reason for the extension.

Missing the deadline without a valid extension is a compliance failure. The ICO can investigate and, in serious cases, issue enforcement action.

Step-by-step: how to handle a SAR

Step 1

Acknowledge receipt and start the clock

As soon as the request arrives, log the date and acknowledge receipt in writing. This protects you if the deadline is later disputed. Note the deadline date clearly.

Action: Reply to the requestor confirming you've received their SAR and will respond within one month.

Step 2

Verify the requestor's identity

You can ask for proof of identity — but only if you have reasonable doubt about who is submitting the request. You cannot make identity verification a blanket procedural step that delays every SAR.

Where you do ask, request only what's proportionate — confirming details you'd already expect them to know (account number, employee ID, registered address), rather than demanding passport copies as a matter of course.

Important: The time spent on identity verification counts toward your 30-day window.

Step 3

Locate all personal data you hold

This is usually the most time-consuming step. You need to search every place personal data about this individual might be stored:

  • HR systems and employee records
  • Email (including sent items, and potentially your IT team's mailboxes)
  • CRM and customer databases
  • Accounting and invoicing systems
  • File storage — shared drives, cloud storage, local files
  • Scanned documents and PDFs
  • Paper records (yes, physical files count)
  • Backup systems, if reasonably accessible

Document your search process. If you determine that certain locations don't hold relevant data, note why.

Step 4

Review the data and apply exemptions

Not everything you find needs to be included. UK GDPR and the DPA 2018 provide exemptions including:

  • Third-party personal data: Redact another identifiable person's data before sharing, unless they've consented or it's reasonable to share without consent.
  • Legal professional privilege: Legally privileged communications may be exempt.
  • Crime prevention and detection: Data held for preventing or detecting crime may be withheld.
  • Management forecasts and references: Certain confidential employment references and management planning information can be withheld.

The exemptions are specific and limited. You cannot use them to simply withhold inconvenient information.

Step 5

Compile and deliver the response

Assemble the data into a coherent, accessible format. A structured PDF with a covering letter is widely accepted. Your covering letter should confirm the SAR date received, describe what you've included, state any exemptions applied, confirm supplementary rights, and provide ICO contact details.

Deliver the response securely. There is no charge for a SAR response unless the request is "manifestly unfounded or excessive."

Step 6

Record what you did

Create and retain an internal record of the date received, identity verification steps, systems searched, exemptions applied, and date the response was sent. This audit trail protects you if the individual escalates to the ICO.

SAR timeline at a glance

DayAction
Day 0SAR received. Acknowledge. Start the clock. Deadline = Day 30.
Days 1–5Verify identity (if required)
Days 1–14Search all systems for relevant personal data
Days 7–21Review data. Apply exemptions. Redact third-party data.
Days 21–28Compile response and covering letter
By Day 30Deliver response. Retain internal record.

What happens if you get it wrong?

The ICO takes SAR compliance seriously. Common failings include failing to respond within the deadline, failing to provide all relevant data, charging unlawfully, applying exemptions inappropriately, and making the process deliberately difficult.

Outcomes range from informal guidance to formal enforcement notices. In serious or repeated cases, fines can be imposed.

How Quantra helps with Subject Access Requests

The Quantra Agent scans your documents for personal data automatically, so when a SAR arrives you're not starting from scratch. The Q-SAR workbench guides you through the entire process — identity verification, document retrieval, third-party redaction, response compilation, and audit trail — built for businesses without a dedicated compliance team.

Learn more about Q-SAR →

Frequently asked questions

Can I ask why someone is submitting a SAR?
You can ask, but the individual is under no obligation to say. You cannot make answering a condition of processing their request.
What if the request is vague?
You can ask the individual to clarify what they're looking for — but only if doing so will genuinely help you locate the data more efficiently, and it does not delay your response unnecessarily.
What if I don't hold any data on this person?
You still need to respond. A valid response can confirm that you hold no personal data relating to them. Document your search process regardless.
Can I charge for a SAR?
Ordinarily, no. The exception is requests that are manifestly unfounded or excessive — but this is a high bar to meet and must be justified.
What if someone makes repeated SARs?
If requests are clearly repetitive and intended to disrupt rather than exercise a genuine right, you may be able to refuse or charge — but take legal advice before doing so and document your reasoning carefully.
This article provides general guidance on UK GDPR Subject Access Requests. It does not constitute legal advice. If you are unsure how the law applies to your specific circumstances, consult a qualified data protection professional or solicitor. · Quantra Solutions Ltd · quantra-solutions.co.uk