How to Handle Subject Access Requests: Complete Guide for UK Organisations
A comprehensive guide to processing Subject Access Requests (SARs) under UK GDPR. Learn the legal requirements, timelines, and best practices for responding to data subject requests.
RedactBox Team
25 November 2024
8 min read
What is a Subject Access Request?
A Subject Access Request (SAR) is a legal right under the UK GDPR that allows individuals to request access to their personal data held by an organisation. When someone submits a SAR, you must provide them with a copy of their personal data, information about how it's being processed, and details about their data protection rights.
Legal Requirements for SARs
Under the UK GDPR, organisations must respond to SARs within one calendar month of receiving the request. This deadline can be extended by up to two additional months for complex requests, but you must inform the requester within the first month if an extension is needed.
Key Requirements:
- Respond within one calendar month
- Provide data in a commonly used electronic format
- Cannot charge a fee unless the request is manifestly unfounded or excessive
- Must verify the identity of the requester
- Must redact third-party personal data
The SAR Response Process
Processing a SAR effectively requires a systematic approach. Here's a step-by-step process:
Step 1: Acknowledge and Verify
When you receive a SAR, acknowledge it promptly and verify the identity of the requester. This is crucial to prevent data breaches by disclosing information to the wrong person.
Step 2: Locate All Personal Data
Search all systems where personal data might be stored, including email archives, databases, cloud storage, and physical records. Email archives often contain significant amounts of personal data and should be thoroughly searched.
Step 3: Review and Redact
Before disclosure, you must review all documents to identify information that should be redacted. This includes:
- Personal data of other individuals (third-party data)
- Legally privileged information
- Confidential references
- Information that could harm the rights of others
Step 4: Prepare and Send Response
Compile the data into a clear format, typically PDF, and send it securely to the requester along with supplementary information about how their data is processed.
Common Challenges with Email Archives
Email archives present particular challenges for SAR compliance. Large MBOX or PST files may contain thousands of emails spanning years, making manual review impractical. Automated tools that can process email archives and facilitate efficient redaction are essential for timely SAR responses.
Best Practices for SAR Compliance
- Maintain a SAR log to track all requests and deadlines
- Have clear procedures documented for staff
- Use appropriate tools for searching and redacting email archives
- Keep records of your search methodology
- Train staff on data protection requirements
Consequences of Non-Compliance
Failure to respond to SARs appropriately can result in complaints to the Information Commissioner's Office (ICO), which has the power to issue enforcement notices and fines. Beyond regulatory penalties, poor SAR handling can damage your organisation's reputation and erode trust with customers and stakeholders.
Need help with email redaction?
RedactBox makes it easy to redact sensitive information from email archives and export professional PDFs.