Handling subject access requests


  • This brief guide focuses on the changes to subject access requests (SARs) made by the General Data Protection Regulation from 25 May 2018.
  • Fundamentally the SAR process remains the same (e.g. the exemptions to disclosure such as legal privilege remains intact) but there are some significant changes you need to be aware of which are covered below.
  • For a summary of what’s required of employers by the GDPR, see our separate guide.


  • The £10 fee is being abolished. Under the new regime, no fee is chargeable unless the request is ‘manifestly excessive or unfounded’ in which case a ‘reasonable’ fee can be charged to cover administrative costs.
  • These terms are not defined but our understanding is that manifestly excessive or unfounded requests will include repetitive requests within a small window of time or requests for additional copies of the same information.


  • You will be required to respond ‘without undue delay’ and, at the latest, within one month rather than the current 40 days. This timeframe can be extended by up to two months if the request is complex and/or you have numerous requests from the same individual to deal with.
  • Any such extensions, and the reason for it, should be confirmed to the applicant in writing before the initial one-month time limit expires.
  • You will still be able to ask the individual for additional information to confirm their identity and to clarify their request. Your timeframe to respond begins once you receive sufficient information to confirm their identity and/or identify which data falls into scope.


  • You will be able to refuse a request is if is manifestly excessive or unfounded although we recommend this is only done as a last resort.
  • If you refuse the request, you should provide the applicant with the reason(s) for this decision.


  • You will need to give the applicant specific information in your response:
  • your retention period(s)
  • the applicant’s right to have inaccurate data corrected
  • the legal basis for processing personal data
  • the applicant’s right to lodge a complaint with the Information Commissioner’s Office
  • details of transfers of personal data outside the EEA including details of any relevant safeguards made


  • The results of the SAR should be made available to the individual via the same method as their request, where possible.
  • For example, you could send them the results electronically if they submitted their request by email or other electronic means, or you could make it available through an electronic portal or data room providing of course that adequate safeguards are taken.
  • We don’t currently have any guidance on how long such an online portal should be available for but it would be reasonable and sensible to set a time limit on it, and to ensure the applicant is told of this and possibly, given the opportunity to receive a copy by CD or paper.


  • The new Data Protection Bill proposes making it a criminal offence to alter records with the intention of preventing disclosure following a SAR.
  • This will be punishable by an unlimited fine. We recommend you remind managers of this and ensure they know to send any SARs to you immediately upon receipt.