• Gdpr
  • September 15, 2021

How to Run a Data Subject Access Request (SAR)

Whether you are a small, medium, or large organisation, receiving a subject access request (SAR) or data subject access request (DSAR) and handling it in the correct manner can be extremely time-consuming for your staff.  

What is a SAR or DSAR?

The Data Protection Act 2018 states that data subjects have the right to ask organisations if they are holding and/or processing personal data concerning them and, if so, to request details on and access to that information. 

What is included in a Data Subject Access Request response?

When responding to a SAR/DSAR, it is not enough just to send copies of the information held on the requesting person.  Rather, the law states that more information should be provided within the response, including:

  • what you are doing with the data and why
  • the legal basis for storing the personal data
  • the types of personal data used
  • who the personal data has been passed to (including recipients or categories of recipients in third countries or international organisations)
  • how long it is expected that the personal data will be stored or, where that is not possible, the criteria used to determine that period
  • the existence of the data subject’s rights to request from the controller

How to run a Data Subject Access Request?

You will typically have one month to respond to a request, however, it is possible to extend this period to two months if the information required is particularly complex. There are several steps in processing a DSAR request:

  1. check the identity of the requestor and ensure they have legal permission to make the request.
  2. clarify the request if it is not clear - this will provide some reassurance to the requestor that you are handling the case.
  3. identify all forms of personal data held on the data subject by the organisation.
  4. check if any of the information held is subject to exemption (e.g. data relating to safeguarding or national defence).
  5. ensure that any data is securely disclosed (especially where it is sent by electronic means).
  6. keep and retain records of the decision made and the information provided.

You can get legal assistance from LawBite

If you are unsure if you should respond to a SAR and, if so, how to complete the process to the letter of the law, speak to one of the data privacy Solicitors at LawBite, who will quickly assist you and help you make sure you are GDPR compliant. Book your free 15-minute consultation here.

Visit our GDPR packages page to learn more about LawBite’s products, specially designed to help businesses of all sizes address their obligations under the GDPR specifically, using expert UK data protection lawyers at a fraction of the usual cost.

Additional useful information

How to Gain Consent Under the GDPR

In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.

Related Articles

Read more of our latest blog posts, featuring all the latest legal news, analysis and opinion from our expert lawyers.

blog image
  • By LawBite Team
  • February 15, 2022
Data protection and privacy – Employer’s responsibilities

Data protection and privacy laws touch on almost every aspect of HR.  Employers must strike a fine balance in complying with the UK GDPR, Data Prot...

blog image
  • By LawBite Team
  • February 07, 2022
Earning user trust by prioritising data protection compliance

Protecting people's privacy is not only the right thing to do, but it is key in earning trust. In 2022, armed with the knowledge gained from the Ca...

blog image
  • By LawBite Team
  • January 28, 2022
Who Needs a Data Representative in the EU for GDPR Compliance?

Obtaining a GDPR Data Representative in the EU for GDPR compliance is an important consideration that you, as a business owner, must think about.  ...


LawBite can help you

LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.

Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.

defend a claim

Talk to a Lawyer

Book a Call
defend a claim

Essentials Plan

Join for Free