A Subject Access Request gives people the right to ask what personal data an organisation holds about them and how it is used. It sits within the wider framework of UK GDPR rights and connects closely to transparency, accountability, and day to day data handling.
A Subject Access Request, usually shortened to SAR, is a request from an individual asking for access to the personal data an organisation holds about them. Under UK GDPR, people can ask whether their data is being processed, request a copy of that data, and receive supporting information about how it is used. SARs connect closely to personal data, transparency, accountability, and controller responsibilities.
Access to personal data, response handling, and organisational readiness.
UK GDPR rights, transparency duties, accountability, and internal records.
A person asks what data you hold about them or requests a copy of it.
The right of access under UK GDPR is about more than sending over a spreadsheet or forwarding a few documents. A SAR is about whether an organisation can identify the requester’s personal data, explain how it is used, and respond in a structured and legally sound way. In practice, this often overlaps with transparency and accountability.
The core of a SAR is the person’s right to know whether you process their personal data and, where you do, to receive a copy of it.
Organisations usually also need to explain why the data is used, who it is shared with, how long it is kept, and what rights the person has.
A SAR tests whether your organisation actually knows where data sits across inboxes, systems, files, and platforms, and whether it can retrieve it safely.
In most organisations, the practical issue is not whether SARs exist, but whether teams can recognise them quickly and handle them consistently.
A SAR does not need special wording or legal terminology. The right can be triggered whenever a person asks for the personal data you hold about them. That means organisations should not rely on someone using the phrase “subject access request” before taking it seriously.
SARs are often made by email or message because those are fast, informal routes. A casual message can still be a valid request if the person is asking for their personal data.
A request made verbally can still count. Teams need enough awareness and internal process to recognise this and escalate it properly.
Organisations can take reasonable steps to confirm identity where necessary, but this should not become a default excuse for delay.
The right is about the requester’s personal data, not necessarily every complete document or every internal discussion in unfiltered form.
In most cases, organisations must respond without undue delay and within one month. The response is usually not just a data dump. It should include the relevant personal data together with supporting information that helps the person understand how their data is used.
The standard timeframe is one month, although complexity and multiple requests can affect how the response is managed in practice.
A proper response often includes the personal data itself, the purpose of processing, categories, recipients, retention information, and relevant rights context.
A useful way to approach SARs is as an organisational workflow rather than a one-off legal event. If your systems, ownership, and record keeping are unclear, SAR handling becomes much harder. This is why the topic connects strongly to accountability and to current regulatory developments around complaints handling, including ICO complaint handling expectations and the ICO’s new complaints process requirement.
Most SARs must be handled free of charge and responded to properly. However, there are limited situations where an organisation may charge a reasonable fee or refuse to act, for example where a request is manifestly unfounded or manifestly excessive. These are narrow exceptions and should never be treated casually.
There are specific circumstances where limits may apply, but these require a reasoned and defensible approach, not a shortcut.
If an organisation wants to narrow scope, charge a fee, or refuse to act, it should be able to justify that position clearly and consistently.
A refusal or limitation should feel like a carefully documented compliance decision, not an annoyed reaction. If teams are relying on vague instinct rather than evidence and process, that is usually a sign the SAR workflow needs strengthening.
Most SAR failures do not come from deliberate misconduct. They usually happen because organisations underestimate the operational side of compliance, search too narrowly, delay internal escalation, or disclose information without proper review.
Teams sometimes fail to recognise a valid SAR because the person does not use legal language or because the request arrives through an informal channel.
Many organisations look only at one inbox or one system when the relevant personal data is actually spread across several platforms.
A SAR can lose days very quickly if nobody knows who owns it, who should coordinate it, or how the response process works.
Responses need care, especially where third party data appears. Rushed disclosure can create new compliance problems rather than solving the original request.
SAR handling is often one of the clearest practical tests of whether an organisation understands its own data environment. If systems, roles, and records are messy, a SAR tends to expose that quickly. For wider context on related regulatory change, see DUAA data protection changes and ICO guidance updates.
This article is based on ICO guidance on subject access requests and the right of access under UK GDPR, together with the core legal provisions that explain what organisations must provide, how request handling should work in practice, and when limits or refusals may apply. For related regulatory developments affecting complaints handling and organisational readiness, see our updates on ICO complaint handling expectations and the ICO’s new complaints process requirement.
Use the glossary for key terms, or browse the Learn section if you want a practical next step for building your understanding of UK GDPR rights and compliance.
