The Dos and Don'ts of Responding to Subject Access Requests

    With the right data practices in place and principles to follow, responding to requests can be straightforward. We’ve put together some steps for you, below!
    People in warehouse moving boxes of personal information - likes, location, social media data

    Responding to requests can be lengthy, and there’s a lot of pressure to get it right. We get that, and we’ll always do our best to make personal data easier for people, including businesses who want to be better.

    With the right data practices in place and principles to follow, responding to requests can be straightforward. We’ve put together some steps for you, below!

    What is a Subject Access Request?

    A subject access request is a written request that any individual can make to find out what personal data is held about them, and how it’s being used.

    They’re commonly referred to as ‘SARs’.

    SARs are mostly sent by current and former customers, clients and employees. However, they can also be sent by anyone who has been in contact with a company, and even by individuals who are unsure if a company holds data on them, under the rules of GDPR.

    ⚠️ GDPR is legislation that sets new standards for data protection. It gives individuals greater control over their personal data, and places limits on what organisations can do with this data.

    Send a request for free

    How difficult is it to respond to a Subject Access Request (SAR)?

    Responding to a SAR can often be time-consuming, requiring significant resources to respond. Particularly because by law, there's a strict 30 day time period to do so.

    Plus, any individual dissatisfied with the speed, content or handling of the response can easily make a complaint either to your business or to the Information Commissioner’s Office (ICO). Poor handling of data can of course, also result in fines.

    While responding to requests can be time-consuming, it doesn’t have to be. There are many things you can do to make it as straightforward as possible. Below are some helpful dos and don’ts for responding to SARs.

    The Dos

    1) Do check all of your records

    The most time consuming and labour intensive stage of your response is gathering all the data. If an individual makes a broad request for access to all their personal data that you may have stored, it can take a considerable amount of time to ensure you have identified and searched for all of the information held.

    Personal information can also be stored in a myriad of places including archived files, in paper form, email accounts and any area on the cloud, as well as any third parties or data processors. It’s important that you're aware of all the places your business stores information and that you ensure that the data is easily accessible and extractable by the relevant person responsible for responding to SARs.

    2) Do ensure the individual is who they say they are

    This is especially important if you’re receiving requests from an email address, phone number, or postal address that you don’t have on file. If in doubt, ask the individual for further identification information, such as a copy of their ID, outlining your reasons.

    But, it’s worth bearing in mind that some individuals might not be comfortable providing even more personal data for the purposes of receiving the data you hold, especially if you wouldn’t usually hold their ID on file. Therefore, it’s important that you log the receipt of the ID and then destroy it immediately, informing the individual that you will do this. It may be helpful to highlight that asking for this ensures that their data goes to the right person.

    3) Do inspect the data files

    Once you start collecting the data, an important step is to inspect all of the data to ensure that you're only sending information that’s relevant just to the individual. Some data might need to be redacted so you can protect any personal information regarding any other individuals. For example, for those individuals who have joint/family policies or accounts. Pay extra attention to mixed data email chains and meeting notes where it may be necessary to provide extracts of documents.

    4) Do have an appointed DPO and invest in their training

    Businesses should have a designated member of staff who is responsible for responding to data requests. This might be your DPO, or it could be another employee who’s familiar with the compliance requirements of GDPR.

    However, training requirements don’t just stop at the DPO level, it’s also important that there is a privacy-aware culture in your company. This is to avoid customer service staff ignoring or failing to escalate a request because they don’t recognise it, or its significance. This can lead to customer complaints to your legal team and/or the Information Commissioner's Office. Do invest in training for all relevant staff members, as well as an agreed upon process for handling both formal and informal enquiries that is communicated regularly to all externally-facing staff.

    It’s also worth having a designated DPO or privacy email address that’s clearly shown on your website, specifically for data-related requests, to ensure they reach the designated team and to instill customer confidence.

    5) Do make sure personal data can be sent electronically, in a readable format

    Make sure the information you provide is concise, transparent and intelligible. You might store data that makes sense to you and your company but it might not make sense on its own.

    Individuals might be confused by what they’re looking at or why it’s needed by your business. If you provide the data electronically, make sure it’s in a universal format such as a PDF.


    1) Don’t assume it’s a deletion request

    Subject Access Requests can be received in a variety of formats and you might have trouble understanding what the individual wants, particularly if they haven’t used a form or a SAR template. However, it’s against the law to delete any of the individuals personal data in the time between receiving a request and responding to it, unless this is part of your normal business operations. If you aren’t sure if it’s a SAR or not, get in touch with the individual for confirmation.

    2) Don’t ignore the request if it doesn’t fit exactly with your own procedures ✉️

    There’s no specific process for sending a SAR such that an individual can simply ask for their data in any way they wish. Requests can come in the form of letters, verbal requests, emails, webforms, and via platforms that aren’t familiar to you.

    Your business may have processes in place that make it easier for you to deal with requests. A common process is requiring an individual to fill out a webform that’s set out in the privacy policy on the company website. This might be easier for your processes, but it must be noted that even if the individual doesn’t use your webform, the request is still valid and must be responded to, within the legally required timeframe of 30 days.

    3) Don’t delay

    Businesses are given 30 days to respond to requests by law. Note that this is 30 days from the day the request reached your business and not from the day it was received by the relevant member of staff. Also, it’s 30 days and not 30 business days. It’s worth keeping records of the requests you receive and calculating 30 days from the date received to diarise the deadline. Remember, requests can arrive via any method so it’s important that employees know how to spot one and forward it to the relevant person as soon as possible.

    4) Don’t ignore the request if you can’t find any personal data

    It’s possible that from time to time you’ll receive a request from an individual that you can’t find in your records. It’s important that you still respond to the request to explain that you don’t hold any data on them and also inform them of their rights should they consider this outcome to be incorrect.

    5) Don’t share any personal information about the individual to any external sources

    This is perhaps an obvious statement, but this is something that is easily done in error. Ensuring that you double check the information, and with whom you are sharing it is always worth the extra effort.

    Additionally, you might receive requests from third parties. Don’t share any individual’s personal information until you have authorisation to act on their behalf.

    Some exceptions:

    From time to time, you might receive a SAR from a facilitator platform such as our own, Rightly. These are not third party platforms and authorisation is not needed, as you can see in our FAQs. The request is sent directly by the individual via the platform and the platform can't see any of the personal information contained in the request. However, if you are unsure, do contact the facilitator in question, they should be happy to help.

    If, for any reason, you need to contact the company of the platform, it’s important that you don’t disclose any of the individual’s personal information. Facilitator platforms like Rightly can assist you with your query based on the reference code that will be within the request itself.

    Final thoughts 💭

    The key is to think ahead. If you're prepared and have processes and people in place, then you’re already halfway there! By embedding the above advice into your business practices, easy but costly mistakes can be avoided.

    We’re always here to help.

    get advice from rightly today

    At Rightly we know that this process can be stressful and time-consuming, and hope that this blog has helped a bit! We also act as a facilitator between consumers and businesses to make the process easier, quicker and more secure for all involved.

    If you’re a company who wants to improve their data practices for free, get in touch with our team today, or sign up.

    As always, you can also always tweet us @rightlydata with any questions!

    Related Articles