How to Respond to a Subject Access Request: A Small Business Guide
Someone has asked for a copy of everything you hold about them. Here is exactly how to respond — the time limit, the steps, and what you can and cannot hold back — without the panic.
The short version
- You usually have one calendar month from the day you receive the request to respond — and the response is normally free of charge.
- The clock can pause: if you reasonably need to confirm who the person is, the month does not start until you have the information you need to verify their identity.
- You can extend by up to two further months for genuinely complex requests or several requests from the same person — but you must tell them, and explain why, within the first month.
- Honesty over panic: most requests are straightforward. A calm process — log it, confirm identity, gather, review, send — handles the vast majority without drama.
If someone has just asked you for a copy of everything you hold about them, you are asking exactly the right question. Knowing how to respond to a subject access request is a practical, learnable skill, not a legal minefield. Most requests are straightforward. The rules are more reasonable than they first appear, and a calm, repeatable process handles the vast majority without drama.
What a subject access request is
A subject access request is a person’s right to ask for a copy of the personal data you hold about them, plus some information about how and why you use it.
Under UK GDPR, every individual has a right of access: the right to see the personal data an organisation holds on them. Exercising it is a subject access request, often shortened to SAR or DSAR. A few things surprise people the first time:
- It can come from anyone whose data you hold: a customer, a former employee, a job applicant, even someone who only filled in a web form.
- It does not have to be formal. A request can be made verbally or in writing, to any part of your organisation, and need not mention “GDPR” or “subject access request” at all. An email saying “can you send me everything you’ve got on me?” counts.
- They are entitled to more than a data dump. Alongside the data, they can ask why you hold it, who you share it with, and how long you keep it. Much of that should already live in your privacy notice.
Breadth is not the same as difficulty. Most small businesses hold a person’s data in a few predictable places: your CRM, your email, your accounting tool, and perhaps a shared drive. Knowing where to look is half the job.
The time limit and when the clock starts
You normally have one calendar month from the day you receive the request to respond, free of charge, and that single fact removes most of the panic.
The ICO (Information Commissioner’s Office, the UK’s data protection regulator) is clear: you must respond without undue delay and at the latest within one calendar month of receiving the request. The month runs from the actual date the request arrives, even a non-working day, counting forward to the same date in the following month. For most small businesses, one month is plenty of time to find and send what is held.
Two details make the subject access request time limit far more manageable than it sounds.
The clock can pause for identity checks. You may confirm you are dealing with the right person before handing over personal data. If you have genuine, reasonable doubt about who is asking, you can request enough information to verify their identity, and the one-month clock does not start until you receive it. This is not a delaying tactic: ask only for what you genuinely need.
You can extend for complex requests. If a request is genuinely complex, or the same person has sent several, you can extend by up to two further months, three months in total. The condition: you must tell the person you are extending, and explain why, within the first month. You cannot quietly run over and explain later.
WHAT COUNTS AS "RECEIVING" THE REQUEST
The month starts the day the request arrives — not the day someone notices it, forwards it, or works out what it is. That's why a request landing in a shared inbox can quietly eat days you didn't know you'd lost. Logging requests the moment they arrive is the single most useful habit you can build.
Step by step: how to respond
A reliable subject access request process is five calm steps: log it, confirm who’s asking, gather the data, review what you’ll send, then deliver it securely.
You do not need a legal team. You need a repeatable sequence.
Step 1: Log the request straight away
Record the date you received it, who it’s from, and what they’ve asked for. This starts your clock honestly and gives you a defensible record. A shared spreadsheet or a note in your task tool is enough to begin with.
Step 2: Confirm the person’s identity (if you reasonably need to)
If you already know the person, say a current customer emailing from their known address, you may not need to do anything. If you have genuine doubt, ask for proportionate proof. The clock pauses while you wait, but only ask for what is truly necessary. Over-asking is itself a complaint waiting to happen.
Step 3: Gather everything you hold
Search methodically: customer records, email, accounting and invoicing tools, support tickets, HR files if relevant, and any shared drives. The aim is everything relating to that identifiable person, not just the obvious file. A written list of where personal data lives in your business (the kind of record a GDPR policy starter pack helps you build) turns this from a scramble into a checklist.
Step 4: Review before you send
The step people skip, and the one that matters most. Check whether the data includes information about other people, or anything covered by an exemption (see below). Redact or hold back only what you are genuinely entitled to, and note your reasons.
Step 5: Deliver it securely
Send the data securely. Use a password-protected file or secure link rather than a plain attachment, especially for anything sensitive. If the person asked electronically, respond electronically. Include the supporting information: your purposes, who you share with, retention periods, and their right to complain to the ICO.
A subject access request isn’t a test of whether your business is perfect. It’s a test of whether you can find what you hold, decide honestly what to share, and respond like an organisation that takes people’s data seriously.
What you can and cannot withhold
You must provide the person’s own data, but you can hold back information that would reveal someone else’s personal data or that falls under a specific legal exemption.
You generally cannot withhold simply because the data is awkward, critical of the person, or inconvenient to compile. Their right of access covers the unflattering as well as the flattering. “We’d rather they didn’t see it” is not a lawful reason.
You can — and sometimes must — hold back or redact in specific situations:
- Third-party data. If responding would disclose personal data about another identifiable person (a colleague named in an internal email, say), balance that person’s rights against the requester’s. Often the answer is to redact the third party’s details rather than withhold the whole document.
- Specific exemptions. UK law sets out narrow exemptions, for example information relating to legal advice or the prevention of crime. They are narrower than people hope, so don’t reach for them as a default.
The safe operating principle: disclose by default, redact narrowly, and document every decision to hold something back. If you ever have to explain yourself to the ICO, a clear note of what you withheld and why beats a confident memory.
A word on fees and refusals, because they’re widely misunderstood. The response is normally free. You can only charge a “reasonable fee” for the administrative cost in narrow cases: where a request is manifestly unfounded or excessive, or where someone asks for further copies of data already provided. The same high bar lets you refuse. “Manifestly” means it must be obvious, backed by clear evidence (a request that is plainly malicious or designed to harass). A request being large, or arriving at a busy time, does not meet it.
Common mistakes to avoid
The usual pitfalls aren’t legal subtleties. They’re practical: missing the request, miscounting the deadline, over-collecting identity proof, and forgetting to check for third-party data.
Most problems come from process, not law. The ones that catch small businesses out:
- Not recognising the request. Because a SAR doesn’t have to say “subject access request”, one can sit unnoticed in an inbox for two weeks. Train anyone who handles customer or staff contact to spot and forward them the same day.
- Starting the clock late. The month runs from when the request arrives, not when it reaches the right person. Internal delay is your problem, not the requester’s.
- Using identity checks to stall. Asking for ID you don’t really need is a common complaint trigger. Verify proportionately, or not at all.
- Sending everything without reviewing it. A rushed full export can disclose another person’s data or something exempt. The review in Step 4 prevents a much bigger problem. The business that handles its second request calmly is usually the one that wrote its process down after its first.
THE QUIET BENEFIT
Every subject access request is a free audit of how well you know your own data. The first is uncomfortable precisely because it surfaces what's scattered. Fix that — a clear record of what you hold and where — and future requests become routine while your wider GDPR position gets stronger at the same time.
Saying you can handle a subject access request is not the same as being able to. The first is a line in a privacy notice; the second is a logged request, a known set of places to look, a reviewed response, and a calm sender. Build that quietly, before the request arrives, and a moment of pressure becomes a five-step routine.
SecurSentry is launching soon to help UK SMEs build genuine, evidence-backed data protection, including the records and processes that make handling a subject access request straightforward rather than stressful. Join the waitlist to be first to know when we open.
This article is general information, not legal or compliance advice. If you have specific obligations or an unusual or contested request, seek qualified guidance from a data protection professional or solicitor.