Back to Insights Back to Insights

Whether you are a small, medium, or large organisation, receiving a subject access request (SAR) or data subject access request (DSAR) and handling it in the correct manner can be extremely time-consuming for your staff.  

What is a SAR or DSAR?

The Data Protection Act 2018 states that data subjects have the right to ask organisations if they are holding and/or processing personal data concerning them and, if so, to request details on and access to that information. 

What is included in a Data Subject Access Request response?

When responding to a SAR/DSAR, it is not enough just to send copies of the information held on the requesting person.  Rather, the law states that more information should be provided within the response, including:

  • what you are doing with the data and why
  • the legal basis for storing the personal data
  • the types of personal data used
  • who the personal data has been passed to (including recipients or categories of recipients in third countries or international organisations)
  • how long it is expected that the personal data will be stored or, where that is not possible, the criteria used to determine that period
  • the existence of the data subject’s rights to request from the controller

How to run a Data Subject Access Request?

You will typically have one month to respond to a request, however, it is possible to extend this period to two months if the information required is particularly complex. There are several steps in processing a DSAR request:

  1. check the identity of the requestor and ensure they have legal permission to make the request.
  2. clarify the request if it is not clear - this will provide some reassurance to the requestor that you are handling the case.
  3. identify all forms of personal data held on the data subject by the organisation.
  4. check if any of the information held is subject to exemption (e.g. data relating to safeguarding or national defence).
  5. ensure that any data is securely disclosed (especially where it is sent by electronic means).
  6. keep and retain records of the decision made and the information provided.

Get legal assistance from LawBite

If you're unsure if you should respond to a SAR and, if so, how to complete the process to the letter of the law, speak to one of the data privacy Solicitors at LawBite, who will quickly assist you and help you make sure you are GDPR compliant. Book a free 15-minute consultation or call us on 020 3808 8314.

You can also view our GDPR packages page to learn more about LawBite’s products, specially designed to help businesses of all sizes address their obligations under the GDPR specifically, using expert UK data protection lawyers at a fraction of the usual cost.

Additional useful information

In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.

Free legal support for businesses

The LawBite Free Essentials Plan acts as your very own legal assistant, ready to provide expertise and guidance on the common legal issues that SMEs and businesses face.

Free Templates
  • X 3 legal document templates
  • Drafted by our expert lawyers
  • New documents added every month
Legal Healthcheck Tools
  • Business-specific surveys
  • Understand how compliant you are
  • Checks in, GDPR, IP, Brexit and more
Resources, Webinars and Articles
  • Access to the latest LawBite events
  • Legal guides for businesses
  • Smarter business law videos