Managing Subject Access Request (SARs) Under UK GDPR: A Practical Guide for UK Organisations

Joe Stock
3 days ago
4 min read

Subject Access Requests (SARs), also known as Data Subject Access Requests (DSARs), can be a compliance headache for many organisations. Whislt the right for data subjects to request copies of their personal data has been around long before the introduction of the General Data Protection Regulation (GDPR), it feels that more are becoming increasing broader and complex.

Handled well, DSARs demonstrate transparency and accountability. Handled poorly, they expose organisations to ICO complaints, enforcement action, reputational damage, and unnecessary operational strain.

This guide explains how to manage DSARs effectively under UK GDPR, reflecting current ICO guidance, recent legislative changes, and the realities faced by UK organisations today.

What Is a SAR?

A Subject Access Request (SAR) is a request made by an individual to access the personal data a Data Controller holds about them. Under Article 15 of the UK GDPR, individuals have the right to:

Confirm whether their personal data is being processed
Receive a copy of that personal data
Understand how and why it is being used, shared, and retained

A DSAR does not need to mention “GDPR”, “SAR”, “DSAR”, or “data protection” to be valid. Requests can be made verbally, in writing, via email, contact forms, or even social media channels.

SAR Time Limits Under UK GDPR

UK GDPR sets clear statutory deadlines:

One calendar month to respond from the date of receipt
The deadline can be extended by up to two further months where requests are complex or numerous
The clock can be paused where reasonable clarification is required to understand the scope of a request

The ICO’s guidance is explicit that organisations must act without undue delay, even where extensions apply.

Recent Changes: Reasonable and Proportionate Searches

Data protection law is ever changing, and one helpful update for Data Controllers that came into force through the Data (Use and Access) Act (DUAA) was the ability to undertake reasonable and proportionate searches, rather than exhaustive searches across every possible system. This is especially for those requests from data subjects who request a copy of ‘everything’ held by an organisation.

This means:

You are not required to search every archive or legacy system if it would be disproportionate
Search decisions must be defensible, documented, and consistent
Organisations should focus on systems where relevant personal data is most likely to be held

The burden remains on the controller to justify why a search was reasonable if challenged.

AI‑Generated Outputs Are Now In Scope of SARs

As organisations introduce AI and generative tools, AI‑generated outputs must now be treated as in scope of a SAR under UK GDPR. Personal data includes not only information provided by individuals, but also data that is derived, inferred or generated about them, such as scores, risk ratings, classifications, summaries or predictions produced by AI systems. Where those outputs relate to an identifiable person, they are likely disclosable under Article 15 and must be included in SAR searches. UK organisations therefore need to ensure AI tools are mapped as data sources within SAR processes.

Common SAR Challenges for UK Organisations

In practice, SAR compliance fails most often due to operational issues, not legal misunderstanding.

1. Requests Spread Across Multiple Systems

Personal data often exists across:

Email and collaboration tools (Outlook, Teams, Slack)
CRM and case management systems
HR platforms and shared drives
CCTV, call recordings, and AI‑generated summaries

Without a clear data map, organisations lose time identifying where to search.

2. Mixed Third‑Party Data

Many SARs involve emails or documents containing information about multiple individuals. This requires careful redaction and balancing of rights, particularly in employment, NHS, and public sector contexts.

3. Tactical Requests

SARs are increasingly used alongside grievances, litigation, or complaints. This increases legal risk and requires stricter governance, audit trails, and privilege handling.

What Good SAR Management Looks Like

Organisations that manage SARs well tend to have the same foundations in place.

Clear Internal Recognition

Staff know how to recognise a SAR regardless of the channel it arrives through.

Defined Registration

There is a consistent process for:

Logging requests
Verifying identity (where necessary)
Clarifying scope without delaying unnecessarily

Structured Search and Review

Searches are planned, documented, and proportionate. Review and redaction are performed methodically, not reactively.

Secure Disclosure

Responses are issued securely, in an intelligible format, with the required supplementary information.

These expectations are set out clearly in ICO guidance and form part of the accountability principle under UK GDPR.

Consequences of Poor SAR Handling

Failure to manage DSARs effectively can result in:

Complaints directly to the organisation (now an explicit right)
Escalation to the ICO
Enforcement action and monetary penalties
Loss of trust with customers, employees, or patients

Building a Sustainable SAR Process

Organisations experiencing repeat SAR issues should move away from ad‑hoc handling and towards a repeatable governance model, including:

SAR policies and procedures
Defined ownership and escalation paths
Data mapping and retention controls
Audit‑ready records of decisions and searches

This approach reduces risk, response time, and operational disruption, particularly for scaling organisations and regulated sectors.

Final Thoughts

Iniver supports organisations to manage SARs confidently under UK GDPR, including where personal data is processed through AI and automated systems. Our team have run information rights management operations within national organisations, and we utilise this real-world experience to help clients design proportionate SAR processes, identify AI‑generated personal data, and align responses with current ICO guidance. If you need support reviewing your SAR approach or understanding how AI changes your obligations, speak to Iniver for practical, regulator‑ready advice.