Subject Access Request Explained

Subject Access Request Explained

Subject Access Request Explained. With a clear surge in businesses receiving data subject access requests many organisations are turning to the information commissioner’s office for guidance. We have attached a link below directing you towards the official ICO website. This will outline their formal instructions for business.

Subject Access Request Explained

Subject Access Request: What is the right of access?

Individuals have the right to ask your organisation whether or not you are using or storing their personal information. They can also as you for copies of their personal information, verbally or in writing. This is commonly known as making a subject access request “SAR” or data subject access request “DSAR”. Our team of qualified data protection consultants are information security specialist who have experience providing DSAR support. 

Why you may receive a subject access request or DSAR?

  • What personal information your organisation holds about the individual submitting the DSAR.
  • How your business is using their personal information
  • Who your business is sharing it with
  • Where, When , Why you captured their personal data.
  • How do you identify a subject access request (SAR)?

Individuals can make a subject access request to find out or a third party can also make a SAR on behalf of another person. Your business should have a tried and tested response process to respond without delay and within one month of receipt of the request. Its important to remember that you should provide the information in an accessible, concise and intelligible format.

To recap an individual can make a SAR/ DSAR verbally or in writing, including on social media. Significantly a request is valid and significant if it is obvious that the individual in question is asking for their own personal data.  Our consultants advise our clients when responding to DSAR’S that an individual does not need to use a specific form of words, refer to legislation or direct the request to a specific contact for it to be considered a formal receipt of a subject access request.

Areas to cover when responding to a DSAR request?

As a small to medium sized business its important to remember that you must comply with a SAR without undue delay and at the latest within one month of receiving the request for the individual in question. You can extend the time to respond by a further two months under certain circumstances. To discuss this in more detail contact our team of qualified data protection consultants who have experience providing  DSAR support. 

What format should you provide the information in?

It’s important to have a defined process in place when responding to a DSAR. This will essentially boost your brand reputation and consumer confidence in your business as it shows a clear and transparent approach to processing personal data whilst upholding security measures in a compliant manner.  If the individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise. When deciding what format to use, you should consider both the circumstances of the particular request and whether the individual has the ability to access the data you provide in that format. It is good practice to establish the individual’s preferred format prior to fulfilling their request. This highlights the importance of embedding a good culture around data protection compliance in your business and or engaging a data protection partner to help uphold your legal obligations and directly reduce your risk of non-compliance with the data protection act 2018 and also the general data protection regulations.

Frequently asked questions

  • When can we refuse to comply with a request?
  • How do we find and retrieve the relevant information?
  • What should we do if the request involves information about other individuals?
  • What other exemptions are there?
  • Can the right of access be enforced?
  • Can we charge a fee?
  • What about requests for information about children?

For more information on the questions above please message us directly to arrange a free consultation with our team of qualified data protection consultants. To read formal guidance from the regulatory body in the UK, Information Commissioners Office please visit their website. If you collaborate with Compliance Direct Solutions, we can help your business get compliant and reduce the risk of non-compliance with the data protection act 2018 and general data protection regulations. We have experience as Outsourced data protection officers in a range of industries and sectors, as well as our help desk and DSAR support packages providing the best support around information security compliance for your business.

Please visit our help desk page for more insights :

You can also read the official ICO guidance here: