How to Respond to a Subject Access Request (DSAR) in the UK — 2026 Guide
Receiving a Subject Access Request (SAR) — also known as a DSAR — is one of the most time-sensitive compliance tasks any UK organisation faces. Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have one calendar month to respond. Get it wrong and you risk an ICO complaint, a fine, or both.
This guide walks you through every step of the process: what counts as a valid SAR, how to handle the clock, what you must disclose, when you can redact or withhold, and how to format your response.
Quick summary
- Respond within 1 calendar month of receiving the request
- Provide all personal data you hold about the individual
- Redact third-party personal data before disclosure
- You can extend by 2 months for complex requests — but must notify within the first month
- No fee can be charged for a standard SAR
What is a Subject Access Request?
A Subject Access Request (SAR) — formally called a Data Subject Access Request or DSAR — is a request by an individual (the "data subject") to receive a copy of the personal data an organisation holds about them.
The right is enshrined in Article 15 of the UK GDPR and applies to any organisation that processes personal data about UK residents. This includes companies, charities, NHS trusts, law firms, schools, landlords, and sole traders.
A valid SAR does not need to use any specific wording. An email saying "Can I see what information you have on me?" is a valid SAR and triggers your legal obligations.
The one-month deadline — and how to count it
You must respond to a SAR within one calendar month of the date you receive it. The clock starts the day you receive the request — not the day you verify identity, not the day you acknowledge receipt.
When the deadline falls on a weekend or bank holiday
If the deadline falls on a weekend or UK public holiday, it moves to the next working day. Use the ICO's SAR deadline calculator at ico.org.uk for exact dates.
Can you extend the deadline?
Yes — but only in specific circumstances. You may extend by a further two calendar months where the request is complex or you have received numerous requests from the same individual. If you extend, you must inform the individual within the first calendar month, explaining why.
Common mistake: Many organisations start the clock from when they verify the requester's identity. This is incorrect. The clock starts on receipt of the request. Identity verification should happen quickly and not be used to delay the response.
Verifying identity
You can ask for reasonable evidence of identity before responding, particularly if there is doubt about who is making the request. However:
- You cannot ask for more than is reasonably necessary
- If you already know who the person is (e.g. a current customer or employee), asking for proof of identity may be disproportionate
- Requesting identity verification does not pause the one-month clock
Conducting the data search
You must search all systems where personal data about the individual may be held:
- CRM systems and databases
- Email inboxes and sent folders
- Shared drives and document management systems
- HR and payroll systems
- Paper files
- Backup systems and archives
- CCTV footage (where the individual is identifiable)
- Third-party processors holding data on your behalf
Your response must be comprehensive. If you later discover data you missed, you must provide it — and you may be in breach of the UK GDPR for the initial response.
What to redact before disclosing
This is where many organisations get into trouble. When disclosing documents in response to a SAR, you will often encounter personal data belonging to other individuals — third parties. You are required to protect their privacy.
Under Section 40 of the Data Protection Act 2018, you must redact or withhold information that would identify a third party, unless:
- The third party has consented to disclosure, or
- It is reasonable to disclose without their consent
In practice, this means redacting names, contact details, and any other information that would identify individuals other than the requester.
Important: Redaction must be permanent. Highlighting text in yellow, using a white rectangle over text, or adding black boxes in image editors is not sufficient — the underlying data may still be present in the file. Use proper redaction software that removes the data from the document entirely.
Exemptions — when you can refuse
There are circumstances under Schedule 2 of the DPA 2018 and the UK GDPR where you may withhold some or all of the requested information:
- Legal professional privilege — communications between a lawyer and client prepared for litigation
- Negotiations — data held in connection with an intention to negotiate with the data subject
- Management forecasts — where disclosure would prejudice the conduct of the business
- Crime prevention and detection — if disclosure would prejudice the prevention or detection of crime
- Confidential references — references given in confidence for employment, education, or training
Exemptions must be applied carefully and documented. You cannot simply refuse a SAR because it is inconvenient. If you rely on an exemption, state which one and why in your response.
Structuring your response
A compliant SAR response should include:
- Confirmation that you hold (or do not hold) personal data about the individual
- A copy of all personal data held (with third-party data redacted)
- The purposes for which you process the data
- The categories of data involved
- Who the data is shared with (recipients or categories of recipients)
- How long you intend to retain the data
- Information about the individual's other data subject rights (rectification, erasure, restriction)
- The right to lodge a complaint with the ICO
Format and delivery
The response should be provided in the same format as the request where possible. If the request was made by email, respond by email. Electronic responses are generally preferred as they are easier to audit.
Where you are providing documents, ensure they are properly redacted and exported as PDF files with metadata stripped. Do not send editable DOCX files where redactions could be reversed.
Need to redact PDFs before sending your DSAR response? DesktopRedact does it automatically — 100% on your machine.
Join the WaitlistCan you charge a fee?
No — for most standard SARs you cannot charge a fee. The exception is where a request is manifestly unfounded or excessive (particularly where it is repetitive). In that case you may either charge a reasonable fee or refuse to respond — but you must be able to demonstrate why the request meets that threshold.
ICO complaints and enforcement
If you fail to respond within the deadline, or the individual is unhappy with your response, they can complain to the Information Commissioner's Office (ICO). The ICO can:
- Issue a formal reprimand
- Issue an enforcement notice requiring you to comply
- Impose a fine of up to £17.5 million or 4% of global annual turnover (whichever is higher) for serious breaches
In practice, ICO enforcement for individual SAR failures at SMB level tends to focus on organisations that repeatedly fail to respond or that show a pattern of non-compliance. A single, well-documented response — even if slightly late — is unlikely to result in a fine. But failing entirely, or sending unredacted third-party data, is a more serious matter.
Pre-disclosure checklist
Before sending your SAR response, run through this checklist: