Subject Access Requests

Right of Access - UK Data Protection/GDPR

A Subject Access Request (SAR) is an individual's request to find out what personal data a business or organisation is holding about them, why it is held and who it is disclosed to. Subject access is a fundamental right for individuals, and provides a great opportunity for organisations to build trust with their customers by improving the quality of data they hold, by being transparent and by responding quickly to requests.

Key Points

  • The request can be made verbally or in writing to any part of the organisation, and you cannot insist on a particular form
  • Individuals can make a request using social media channels, but you may respond via other means
  • Individuals need not provide a reason for the request
  • You must respond promptly, and without undue delay
  • You must ensure the identity of the requester
  • You cannot charge a fee in most cases
  • SARs can be made via a bulk request, but each must be handled individually
  • You would have to balance providing information with the rights of another individual who could be identified by providing the information to the requester

What is Personal Data?

Personal data is information that relates to a living individual and allows that individual to be identified from it (either on its own or with other information).

Individual’s Rights

The individual is entitled to a copy of their personal data as well as information regarding the following:

  • Whether any personal data is being processed
  • The reasons for the processing 
  • Whether the information is shared and to whom
  • The source of the personal data
  • Your retention period for storing the personal data 
  • The right to request correction, erasure or restriction
  • The right to object to processing
  • The right to lodge a complaint with the ICO or another supervisory authority
  • The existence of automated decision-making, including profiling
  • The safeguards you provide if you transfer personal data to a third country or international organisation

This is a brief overview, and legislation and guidance can change over time. For assistance handling your SARs in your business, please get in touch

Further information: ICO - Right of Access