What information must I provide in response to a SAR?

You must provide: confirmation that you hold data about the individual, a copy of that data, the purposes for which it is being processed, who it has been shared with, how long you will keep it, the individual's rights regarding the data, and the right to complain to the ICO.

Subject Access Request Procedure Template for UK Businesses

Q: What is a subject access request?

A subject access request (SAR) is a request made by an individual to see a copy of the personal data your business holds about them. Under UK GDPR Article 15, individuals have the right to obtain this information. Businesses must respond within one calendar month.

Q: How long do I have to respond to a SAR?

You must respond to a SAR within one calendar month of receiving it. You can extend this to three months for complex or numerous requests, but you must notify the individual within the first month that you are extending the deadline and explain why.

Q: Can I charge a fee for a subject access request?

Generally no. Under UK GDPR, responding to a SAR must be free of charge. You can charge a reasonable fee if requests are manifestly unfounded or excessive — for example, repeated requests for the same information. You must be able to justify any fee you charge.

Under UK GDPR, individuals have the right to request a copy of all personal data your business holds about them. You must respond within one month — a written SAR procedure ensures you do it correctly every time.

Get SAR Procedure — £15 Get all 10 documents — £69

Instant PDF & Word download · 14-day money-back guarantee

What is a subject access request procedure?

A subject access request (SAR) procedure is a document that sets out how your business handles requests from individuals who want to see the personal data you hold about them. Under UK GDPR Article 15, every individual has this right, and businesses must respond within one calendar month.

Without a written procedure, businesses often miss deadlines, provide incomplete responses, or inadvertently share data about third parties — all of which can result in ICO complaints and enforcement action. A clear procedure protects you and ensures you treat individuals' rights seriously.

What your SAR procedure should cover

How to recognise a SAR (they do not need to use specific wording or be in writing)
Who is responsible for handling SARs within your business
How to verify the identity of the person making the request
The one-month response deadline and when an extension applies
How to locate, compile, and review all data held about the individual
How to redact third-party information from the response
What to include in the response: the data, plus supplementary information
How to handle complex, manifestly unfounded, or excessive requests

Get your SAR procedure today

£15

SAR Procedure only

Single document

Get this document

£69

10 docs incl. Privacy Policy & breach procedure

Professional plan

Get all 10 documents

£99

All 14 compliance documents

Complete plan

Get all 14 documents

Common questions about subject access requests

What is a subject access request?

A SAR is a request made by an individual to see a copy of the personal data your business holds about them. Under UK GDPR Article 15, every individual has this right. Businesses must respond within one calendar month.

How long do I have to respond to a SAR?

One calendar month from receipt. You can extend to three months for complex or numerous requests, but you must notify the individual within the first month and explain why. Missing the deadline without extension is an ICO reportable failure.

Can I charge a fee for a SAR?

Generally no — responding to a SAR must be free of charge. You can charge a reasonable fee if requests are manifestly unfounded or excessive, such as repeated requests for the same data. You must be able to justify any fee charged.

What must I include in a SAR response?

A copy of the individual's personal data, the purposes for which it is processed, who it has been shared with, how long you will keep it, their data subject rights, and the right to complain to the ICO. Third-party data must be redacted before sharing.

All 14 UK compliance documents

Privacy Policy Data Protection Policy Data Retention Policy Health & Safety Policy Risk Assessment Employee Privacy Notice Cookie Policy CCTV Policy Data Breach Procedure SAR Procedure Acceptable Use Policy Social Media Policy Fire Safety Policy Lone Worker Policy