Subject Access Requests (SAR) aren’t new – nor is the implementation of the GDPR, which upped the ante. But with data breaches on the rise, it’s crucial that companies understand their legal obligations around data privacy.

Under the General Data Protection Regulations, companies:

  • Have to respond more quickly
  • Have to provide supplementary information
  • Cannot charge for responding to the request.

In addition, people can request and receive the information electronically.

Good Compliance Officers and DPOs understand the complexity and time that can be involved. As no two requests are the same, they present different challenges in each case, all of which need to be achieved within tighter timescales.

A good place to start is to ensure is that your organisation, and staff, understand and recognise Subject Access Requests. For example, if somebody asks why you are holding their personal data it doesn’t necessarily mean that they are requesting their data. Developing procedures to clearly identify the scope of a Subject Access Request is therefore highly beneficial.

What is a Subject Access Request?

Under GDPR, the ‘right of access’ gives individuals the right to request the personal data that a company holds on them. The aim is to help people understand why and how companies use their data, as well as who it is disclosed to. Much of this information may already be available in your Privacy Notice.

The ICO states that individuals have the right to obtain the following from you:

  • confirmation that you are processing their personal data;
  • a copy of the personal data you hold on them; and
  • other supplementary information corresponds to information in your Privacy Notice

This means that the request must also fall within the definition of personal data.

A person may only receive their own personal data, and no other information relating to anyone else. You will need to develop procedures that all information relating to other data subjects is properly identified and deleted. This can be a time-consuming activity, which must be allowed for in terms of the 30-day time frame allowed. Imagine trying to go through hundreds (if not thousands) of emails containing data on multiple data subjects.

Identifying a SAR

The GDPR does not specify exactly how requests should be made. This means that a request could come:

  • Verbally or in writing
  • To any department (including via a social media fan page)
  • To any member of staff with a data subject facing role

Staff in receipt of a Subject Access Request should be trained to clarify that the individual is, in fact, making a request for their own personal data. They should be aware that the request itself might not include the phrase ‘subject access request’ or refer to Article 15. It is important that staff understand the importance of processing requests securely and efficiently to achieve a 30-day response.

Verifying identity

Prior to providing any personal information to a recipient, your organisation will need to have procedures in place to verify the individual’s identity. You will be handing over personal information, and so need to ensure that data subjects making requests are who they say they are.

It is important to establish criteria for identifying individuals that is appropriate and proportionate to the information being provided.

For example, if the data concerned is of a sensitive nature (such as special category or credit card data) you may want to see government identification such as a passport or driving licence. However, if the data is related to less sensitive information such as contact details, purchase history or demographic information then you may accept information such as mother’s maiden name, year of birth, etc.

The decision on what information to use should be backed by a risk assessment to ensure that it sufficiently protects that data, whilst not hindering the data subject’s right to access their data.

Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, even verifying in writing for clarity, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of verbal requests.

Rules affecting response times

Businesses should respond to a SAR ‘without undue delay and in any event within one month of receipt of the request.’ For a standard request, you need to reply within one month of the original receipt of request.

However, there are some exceptions:

  • You can extend the deadline by a further two months if the request is ‘complex’ or if you have ‘a number of requests’ from the individual.
  • You can refuse to deal with a request if it is ‘unfounded’, ‘excessive’ or ‘repetitive in nature’. Alternatively, you can request a ‘reasonable fee’ to action it.

Either way, you need to inform the individual within the one-month deadline, justifying your decision and clarifying any extension period. The requested information should be provided using a commonly used electronic format.


Historically. the mistreatment of Subject Access Requests has been the main data protection complaint from the public.  In 2016, the biggest proportion of concerns raised (42%) related to individuals’ rights to access their personal data held by organisations. Post-GDPR, the number of Subject Access Requests increased – making it even more important for organisations to understand the rules around their processing.

Subject Access Requests are a complex area. Further issues arise when handling requests for large amounts of data, requests made on behalf of others and if data includes information on other people.

As the number of requests rise, ensuring a smooth Subject Access Request process will be vital. Having adequate processes in place will help your organisation to gather all the necessary information.

Don’t underestimate the importance of raising awareness within your organisation of what a Subject Access Request is. Assess the requirement to train key staff who will directly affect your ability to deliver accurate, comprehensive information on time.