Cookies consent

We use cookies on this website. You can choose to accept them all or to opt out of some. You can change your consent at any time by opening this window again

I consent to cookies

We use cookies on this website. You can choose to accept them all or to opt out of some. You can change your consent at any time by opening this window again

I do not consent to cookies

If you choose this option, we will block all performance, targeting and persistent cookies. Many parts of this site will then not work.

Please read the full details in our Cookie Statement.

Data Protection and Subject Access Requests

Data Protection and Subject Access Requests

by Adam Grimwood
13 Oct 2025

SMEs must:

  • Identify and document what personal data they hold and why.
  • Secure data against loss, theft, or unauthorised access.
  • Ensure transparency, including privacy notices and lawful bases for processing.
  • Respect individual rights, including the right to access, rectify, or erase personal data.
  • Respond to data breaches swiftly and report serious incidents to the Information Commissioner’s Office (ICO).

One of the most commonly exercised rights is the Subject Access Request (SAR). A SAR is a request made by an individual to access personal data that an organisation holds about them. It doesn’t need to mention the term "subject access request", so even a simple question like "What information do you hold on me?" can trigger the obligation. SARs can be made:

  • Verbally.
  • In writing.
  • Via email or social media.

Once received, the organisation must:

  • Respond within one month (extendable to three months in complex cases)
  • Provide:
    • A copy of the personal data.
    • Details of how and why it is processed.
    • Information on data sharing and retention.
    • The individual’s rights under UK GDPR.

SARs must be handled free of charge, unless the request is manifestly unfounded or excessive.

As a responsible business you should:

  1. Train staff to recognise SARs in all forms.
  2. Log and track SARs to meet deadlines.
  3. Verify identity before disclosing data.
  4. Review data for third-party information or legal exemptions.
  5. Respond securely, using encrypted email or secure file sharing.
  6. Document your process to demonstrate accountability.

Failure to respond to a SAR can lead to:

  • ICO enforcement action.
  • Civil claims for damages.
  • Reputational harm.

In serious cases, it can also result in criminal prosecution. Under Section 173 of the Data Protection Act 2018, it is a criminal offence to "alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure" in response to a SAR.

In September 2025, the ICO successfully prosecuted the director (D) of a care home for failing to respond to a SAR. D was fined £1,100 and ordered to pay £5,440 in costs by the Magistrates Court. In his case a resident’s daughter, acting under a lasting power of attorney, had requested personal data including incident reports and CCTV footage. However, this was not forthcoming, and D was found to have blocked, erased, or concealed records between April and May 2023. Furthermore, he provided no explanation to the ICO and attempted to deregister as a data controller.

Data protection obligations apply to all organisations, regardless of size. Mishandling a SAR can result in personal liability for directors and criminal sanctions. To stay compliant:

  • Review your SAR procedures regularly.
  • Designate a responsible person for data protection.
  • Always seek legal advice.