How can we prepare for a subject access request (SAR)?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
-
This guidance has been updated to reflect changes to the right of access brought about by the Data (Use and Access) Act. Some of these changes are not yet in force. However, we think it is useful for it to be published now so that you are ready for these changes. In particular, they set out that you only have to carry out a reasonable and proportionate search in response to a SAR; and that you can ‘stop the clock’ when asking for clarification on a request.
In more detail
- Why is it important to prepare for the right of access?
- What steps should we take?
- What about our information management systems
Why is it important to prepare for the right of access?
It’s important to be prepared and take a proactive approach to SARs, as this helps you respond to them more effectively and quickly. It also helps you:
- comply with your legal obligations under the UK GDPR and DPA and show how you have done so;
- streamline your processes for dealing with SARs, saving you time and effort;
- increase levels of trust and confidence in your organisation by being open with people about the personal information you hold about them;
- enable people to check that the information you hold about them is accurate, and to tell you if it’s not;
- improve confidence in your information handling practices; and
- increase the transparency of what you do with personal information.
What steps should we take?
There are various ways that you can prepare for SARs. What is appropriate for your organisation depends on multiple factors, including the:
- types of personal information you hold and are using;
- number of SARs you receive; and
- size and resources of your organisation.
The following list is not exhaustive, but includes examples of ways that you can prepare:
- Awareness — You could make information available about how people can make a SAR (e.g. on your website, in leaflets or in your privacy notice).
- Training — You should provide general training to all staff to help them recognise a SAR. Provide more detailed training on handling SARs to relevant staff, dependent on their job role. If you are required to have a DPO, they are responsible for ensuring your organisation provides appropriate data protection training to staff.
- Guidance — You could create a dedicated data protection page for staff on your intranet with links to SAR policies and procedures.
- Request handling staff — You should appoint a specific person or central team that is responsible for responding to requests. Where possible, you should ensure that more than one member of staff knows how to deal with a SAR so you have a contingency if someone is absent.
- Asset registers — You should maintain information asset registers that show where and how you store personal information. This will help you locate the required information to respond to SARs.
- Checklists — You could produce a standard checklist that staff can use to ensure you take a consistent approach to SARs.
- Logs — You could maintain a log of SARs you have received and update it to monitor progress. It could include copies of information you supply in response to each SAR, as well as copies of any material you’ve withheld and the reasons why.
- Retention and deletion policies — You should have documented retention and deletion policies for the personal information you use. This helps to ensure that you don’t keep information for longer than you need to. This may reduce the amount of information you need to review when responding to a SAR.
- Security — You should have measures in place to securely send information. For example, you could use a trusted courier or have a system to check email addresses and review responses before sending.
What about our information management systems?
You should ensure that your information management systems allow you to easily find and extract personal information, and to redact third-party information where necessary.
If you are implementing a new information management system, you must design and build data protection compliance into your processing activities and business practices from the start. This means that you must take steps to ensure that your new system complies with data protection principles and minimises the risks to people’s rights and freedoms. You should also ensure that your system supports dealing with SARs.
You should also have effective records management policies, such as:
- a well-structured file plan;
- standard file-naming conventions for electronic documents; and
- a clear retention policy about when to keep and delete documents.
This will help you with your accountability and documentation obligations.
Further reading