Skip to main content
Home / News and Insights / News / Responding to a Subject Access Request (SAR)
23 January 2019

Responding to a Subject Access Request (SAR)

Any individual can make a Subject Access Request (SAR) under the General Data Protection Regulation 2016/679 (GDPR) to any organisation (data controller) that holds his or her personal data. Since the introduction of the GDPR, an increasing number of individuals are exercising their right to request information from organisations and other data subject rights.

Responding to a SAR

It is important for a company to ascertain all the various sources where personal data is held and to ensure that their data systems are easily searchable in order that responses to SARs can be managed efficiently. Businesses should be aware that the time limit for responding to SARs is one month and ensure that their procedures enable them to respond to the request within this timescale. The SAR needs to be assessed to consider whether any exemptions may apply and whether any personal data may be withheld.

You may need to take specialist legal advice upon receipt of a SAR. Poor compliance can be a source of significant risk to a company’s reputation and may undermine customer confidence. Failure to comply may also result in enforcement action and / or civil claims against your company including significant monetary penalties.

BDB Pitmans’ data protection team

Our team provides practical and tailored advice in connection with SARs and other data subject requests made under the GDPR. We can help organisations address these requests properly, including:

  • Business specific training on SARs
  • Drafting internal policies for dealing with SARs
  • Responding to a SAR and the provision of personal data in response to a request
  • Advice on the content and validity of specific SARs
  • Document review
  • Responding to investigations by the Information Commissioner

Our recent subject access request work includes:

  • Advising a charity on a SAR made by a former charity trustee
  • Advising a property investment company on a SAR made by a former employee
  • Advising a Data Processor on a SAR received in relation to personal data it was processing on behalf of a Data Controller

Related Articles

London and Cambridge Offices

London Westminster
50 Broadway, London

50/60 Station Road

Reading and Southampton Offices

Reading, The Anchorage
34 Bridge Street Berkshire
Reading RG1 2LU

Grosvenor House, Grosvenor Square
Southampton SO15 2BE

Follow us

  • Pay my invoice
  • Lexcel

© BDB Pitmans 2019. 50 Broadway, London, SW1H 0BL - T +44 (0)345 222 9222