SecurSentry
← All notes
UK GDPR

How to Respond to a Subject Access Request: A Small Business Guide

Someone has asked for a copy of everything you hold about them. Here is exactly how to respond — the time limit, the steps, and what you can and cannot hold back — without the panic.

The short version

If someone has just asked you for a copy of everything you hold about them, you are asking exactly the right question. Knowing how to respond to a subject access request is a practical, learnable skill, not a legal minefield. Most requests are straightforward. The rules are more reasonable than they first appear, and a calm, repeatable process handles the vast majority without drama.

What a subject access request is

A subject access request is a person’s right to ask for a copy of the personal data you hold about them, plus some information about how and why you use it.

Under UK GDPR, every individual has a right of access: the right to see the personal data an organisation holds on them. Exercising it is a subject access request, often shortened to SAR or DSAR. A few things surprise people the first time:

Breadth is not the same as difficulty. Most small businesses hold a person’s data in a few predictable places: your CRM, your email, your accounting tool, and perhaps a shared drive. Knowing where to look is half the job.

The time limit and when the clock starts

You normally have one calendar month from the day you receive the request to respond, free of charge, and that single fact removes most of the panic.

The ICO (Information Commissioner’s Office, the UK’s data protection regulator) is clear: you must respond without undue delay and at the latest within one calendar month of receiving the request. The month runs from the actual date the request arrives, even a non-working day, counting forward to the same date in the following month. For most small businesses, one month is plenty of time to find and send what is held.

Two details make the subject access request time limit far more manageable than it sounds.

The clock can pause for identity checks. You may confirm you are dealing with the right person before handing over personal data. If you have genuine, reasonable doubt about who is asking, you can request enough information to verify their identity, and the one-month clock does not start until you receive it. This is not a delaying tactic: ask only for what you genuinely need.

You can extend for complex requests. If a request is genuinely complex, or the same person has sent several, you can extend by up to two further months, three months in total. The condition: you must tell the person you are extending, and explain why, within the first month. You cannot quietly run over and explain later.

WHAT COUNTS AS "RECEIVING" THE REQUEST

The month starts the day the request arrives — not the day someone notices it, forwards it, or works out what it is. That's why a request landing in a shared inbox can quietly eat days you didn't know you'd lost. Logging requests the moment they arrive is the single most useful habit you can build.

Step by step: how to respond

A reliable subject access request process is five calm steps: log it, confirm who’s asking, gather the data, review what you’ll send, then deliver it securely.

You do not need a legal team. You need a repeatable sequence.

Step 1: Log the request straight away

Record the date you received it, who it’s from, and what they’ve asked for. This starts your clock honestly and gives you a defensible record. A shared spreadsheet or a note in your task tool is enough to begin with.

Step 2: Confirm the person’s identity (if you reasonably need to)

If you already know the person, say a current customer emailing from their known address, you may not need to do anything. If you have genuine doubt, ask for proportionate proof. The clock pauses while you wait, but only ask for what is truly necessary. Over-asking is itself a complaint waiting to happen.

Step 3: Gather everything you hold

Search methodically: customer records, email, accounting and invoicing tools, support tickets, HR files if relevant, and any shared drives. The aim is everything relating to that identifiable person, not just the obvious file. A written list of where personal data lives in your business (the kind of record a GDPR policy starter pack helps you build) turns this from a scramble into a checklist.

Step 4: Review before you send

The step people skip, and the one that matters most. Check whether the data includes information about other people, or anything covered by an exemption (see below). Redact or hold back only what you are genuinely entitled to, and note your reasons.

Step 5: Deliver it securely

Send the data securely. Use a password-protected file or secure link rather than a plain attachment, especially for anything sensitive. If the person asked electronically, respond electronically. Include the supporting information: your purposes, who you share with, retention periods, and their right to complain to the ICO.

A subject access request isn’t a test of whether your business is perfect. It’s a test of whether you can find what you hold, decide honestly what to share, and respond like an organisation that takes people’s data seriously.

What you can and cannot withhold

You must provide the person’s own data, but you can hold back information that would reveal someone else’s personal data or that falls under a specific legal exemption.

You generally cannot withhold simply because the data is awkward, critical of the person, or inconvenient to compile. Their right of access covers the unflattering as well as the flattering. “We’d rather they didn’t see it” is not a lawful reason.

You can — and sometimes must — hold back or redact in specific situations:

The safe operating principle: disclose by default, redact narrowly, and document every decision to hold something back. If you ever have to explain yourself to the ICO, a clear note of what you withheld and why beats a confident memory.

A word on fees and refusals, because they’re widely misunderstood. The response is normally free. You can only charge a “reasonable fee” for the administrative cost in narrow cases: where a request is manifestly unfounded or excessive, or where someone asks for further copies of data already provided. The same high bar lets you refuse. “Manifestly” means it must be obvious, backed by clear evidence (a request that is plainly malicious or designed to harass). A request being large, or arriving at a busy time, does not meet it.

Common mistakes to avoid

The usual pitfalls aren’t legal subtleties. They’re practical: missing the request, miscounting the deadline, over-collecting identity proof, and forgetting to check for third-party data.

Most problems come from process, not law. The ones that catch small businesses out:

  1. Not recognising the request. Because a SAR doesn’t have to say “subject access request”, one can sit unnoticed in an inbox for two weeks. Train anyone who handles customer or staff contact to spot and forward them the same day.
  2. Starting the clock late. The month runs from when the request arrives, not when it reaches the right person. Internal delay is your problem, not the requester’s.
  3. Using identity checks to stall. Asking for ID you don’t really need is a common complaint trigger. Verify proportionately, or not at all.
  4. Sending everything without reviewing it. A rushed full export can disclose another person’s data or something exempt. The review in Step 4 prevents a much bigger problem. The business that handles its second request calmly is usually the one that wrote its process down after its first.

THE QUIET BENEFIT

Every subject access request is a free audit of how well you know your own data. The first is uncomfortable precisely because it surfaces what's scattered. Fix that — a clear record of what you hold and where — and future requests become routine while your wider GDPR position gets stronger at the same time.

Saying you can handle a subject access request is not the same as being able to. The first is a line in a privacy notice; the second is a logged request, a known set of places to look, a reviewed response, and a calm sender. Build that quietly, before the request arrives, and a moment of pressure becomes a five-step routine.

SecurSentry is launching soon to help UK SMEs build genuine, evidence-backed data protection, including the records and processes that make handling a subject access request straightforward rather than stressful. Join the waitlist to be first to know when we open.


This article is general information, not legal or compliance advice. If you have specific obligations or an unusual or contested request, seek qualified guidance from a data protection professional or solicitor.

Frequently asked questions

What is the time limit for responding to a subject access request?

You must respond without undue delay and at the latest within one calendar month of receiving the request. The month starts the day you receive it (or, if you reasonably need to confirm the person's identity, the day you receive the information you need to verify them). You can extend by up to two further months for complex or numerous requests, but you must tell the person within the first month.

Can I charge a fee for a subject access request?

In most cases, no. You must provide a copy of the person's data free of charge. You can only charge a 'reasonable fee' for the administrative cost in narrow situations — where a request is manifestly unfounded or excessive, or where someone asks for further copies of information you have already provided.

Can I refuse a subject access request?

Only in limited circumstances. You can refuse, or charge a fee, if a request is 'manifestly unfounded or excessive' — but the word 'manifestly' means it must be obvious, and you need clear, documented evidence to justify the decision to the person and, if challenged, to the ICO. Refusing because a request is simply inconvenient is not allowed.

Does a subject access request have to be in writing?

No. A subject access request can be made verbally or in writing, to any part of your organisation, and it does not have to use the words 'subject access request' or mention data protection law. This is why training your team to recognise one matters — a customer's email asking 'what do you have on me?' can count.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min
SME security

The UK Small Business Compliance Journey: Cyber Essentials, GDPR and Security Questionnaires

29 Jun 2026 · 8 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.