A subject access request, or DSAR, is someone asking to see the personal data you hold about them. It's one of the most common privacy requests a small business receives, and one of the easiest to mishandle under time pressure. With a little preparation it's a routine task rather than a scramble.

This guide explains what a subject access request is, what you have to provide, how long you have, and the traps that catch businesses out.

What is a subject access request?

It's a person exercising their right of access under the UK GDPR. Anyone whose personal data you hold can ask for a copy of it, and they don't have to use the words "subject access request" or fill in a form. A request by email, by letter, or even spoken out loud counts, and it can land with anyone in your business, not just a privacy inbox. Your team needs to recognise one when they see it.

What you have to provide

You must give the person a copy of their personal data, along with some supporting information: why you process it, who you share it with, how long you keep it, where it came from, and the rights they have. Most of that supporting information is the same for everyone, so it can come straight from your privacy notice. The part that takes work is finding the person's actual data across your systems, which is far easier if you've already mapped where personal data lives.

How long you have to respond

You have one calendar month from receiving the request. You can extend that by up to two further months if the request is genuinely complex or the person has made several, but you must tell them about the extension, and why, within the first month. The clock doesn't run quietly in the background, so log the date a request arrives.

Can you charge, or say no?

Usually it's free, and yes, you have to comply. You can't charge a fee for a normal request. You can only charge a reasonable fee, or refuse, where a request is manifestly unfounded or excessive, for example where someone is plainly using requests to harass you. That's a high bar, and "this is inconvenient" doesn't meet it. If you do refuse, you must explain why and tell the person they can complain to the ICO.

Checking who you are dealing with

If you have genuine doubts about who is making the request, you can ask for enough information to confirm their identity, and the one-month clock pauses until you receive it. Don't use this as a delaying tactic or demand more than you need. Asking a known customer for a passport scan to release data you already email them every week is hard to justify.

What you can hold back

A subject access request covers the requester's own personal data, not other people's. If returning their data would reveal information about someone else, you should redact the other person's details unless they've agreed or it's reasonable to disclose without them. A handful of narrow exemptions also apply, such as legal advice, but they're genuinely narrow and rarely the reason to hold something back. When in doubt, the default is to disclose the person's own data.

How to make this routine

Almost all of the difficulty in a subject access request comes from not knowing where personal data lives. If you've done the groundwork in our guide to GDPR for small businesses, most of a response is straightforward: confirm identity if needed, gather the data from the places you've already mapped, redact anyone else, and send it with the supporting information from your privacy notice. A short written process, and one person who owns it, turn each request into a checklist.

If you'd like help putting that process in place, our GDPR compliance service sets it up alongside the rest of your privacy basics.