Skip to content
360 Cyber Compliance

procedure

Subject Access Request (SAR) Procedure

A step-by-step subject access request procedure for UK organisations, covering identity checks, the one-month deadline, exemptions and how to respond correctly.

Related service: Data Protection & UK GDPR

This procedure sets out how [Organisation name] handles a subject access request (SAR) — a request from an individual for a copy of their personal data under the UK GDPR. Following it consistently helps you respond accurately and on time. The core rule: you must respond within one month of receiving the request, and in most cases you cannot charge a fee. Replace every [bracketed] field with your own detail.

1. Recognising a request

A SAR can be made verbally or in writing, to anyone in the organisation, and does not have to use the word “SAR” or mention data protection law. All staff should know to forward any suspected request to [name / role of person responsible].

  • Where to send requests: [email / postal address / phone]
  • Person responsible for SARs: [name / role]

2. Log the request

Record the request as soon as it arrives:

  • Date received (the clock starts on this date)
  • Who made the request and how
  • What information they are asking for
  • The one-month response deadline: [date received + one calendar month]

3. Confirm identity

If you have reasonable doubts about who is making the request, ask for enough information to confirm their identity. The one-month clock pauses until you receive what you reasonably need. Do not ask for more than is necessary.

  • Identity confirmed on: [date]
  • If a third party is requesting on someone’s behalf: confirm they have authority (e.g. written authorisation, power of attorney)

4. Clarify if needed

If you process a large amount of information about the person, you may ask them to specify what they want. Only do this where it is genuinely necessary; you cannot use it to delay a straightforward request.

5. Find the information

Search all relevant systems and records — email, care records, HR files, CCTV, paper files and any processors acting on your behalf. Record where you searched so you can show the response was thorough.

6. Review and apply exemptions

Before releasing anything, review the information and consider:

  • Third-party data: where releasing the data would reveal information about another person, decide whether it is reasonable to disclose without their consent, or redact it
  • Exemptions: consider whether any exemption applies (for example certain management information, legal privilege, or where disclosure would be likely to prejudice specific purposes)
  • Record every redaction and exemption decision, with the reason

7. Prepare and send the response

  • Provide the information in an accessible format; if the request was made electronically, respond electronically where possible

  • Include a copy of the personal data, plus supplementary information (purposes, categories, recipients, retention, and their rights)

  • Send securely to the confirmed individual

  • Response sent on: [date]

  • Method: [secure email / post / secure portal]

8. Deadlines, extensions and fees

  • Standard deadline: one month from receipt (or from confirming identity/clarification)
  • Extension: you may extend by up to two further months for complex or numerous requests — you must tell the individual within the first month and explain why
  • Fees: free of charge, unless the request is manifestly unfounded or excessive, in which case you may charge a reasonable fee or refuse (document your reasoning)

9. If you refuse

If you refuse all or part of a request, tell the individual within one month, explain why, and inform them of their right to complain to the ICO and to seek a judicial remedy.

10. Close and review

  • Record the outcome and file the response
  • Note any lessons for future requests

Want this procedure tailored to your systems and team, with staff briefed on how to spot a request? We can help as part of a fixed-fee engagement — see our data protection and GDPR service. For related background, see our information governance guides.

Want this as a ready-to-use document?

We can tailor this to your organisation and complete it with you as part of a transparent, fixed-fee engagement.

Talk to us about this