Never miss a SAR deadline again

Under UK GDPR, you must respond to a subject access request within one calendar month of receiving it. If the request is complex or you receive multiple requests from the same person, you can extend by a further two months — but you must tell the requester within the first month and explain why. The Data (Use and Access) Act 2025 also introduces a "stop the clock" mechanism where the deadline pauses if you need to request identity verification or clarification.

The Data Protection Act 2018 contains several exemptions employers can rely on when responding to SARs. Schedule 2, Part 4 covers the key employer exemptions — paragraph 19 protects legal professional privilege (documents covered by legal advice in tribunal proceedings), while paragraphs 22-24 cover management forecasting, negotiations, and references. Each exemption must be assessed on a document-by-document basis with written justification for your audit trail.

In most cases, no. Under UK GDPR, subject access requests are free. You can only charge a "reasonable fee" if the request is manifestly unfounded or excessive — for example, if the same person submits repeated identical requests. You can also charge for additional copies beyond the first. The ICO expects most requests to be handled at no cost, and rejecting or charging for a straightforward SAR is a common basis for ICO complaints.

DSAR (Data Subject Access Request) and SAR (Subject Access Request) refer to the same thing: a request by an individual to see the personal data an organisation holds about them. "SAR" is the term used in the Data Protection Act 2018 and by the ICO. "DSAR" is more common in the privacy technology industry. Both carry the same legal obligations — a one-month response deadline and the right to receive a copy of personal data in a commonly used electronic format.

Yes. A SAR does not need to be in writing. If an employee says "I want to see my personal data" in a meeting, by phone, or in any other verbal exchange, that counts as a valid SAR. The ICO confirms that requests can be made verbally, by email, by letter, or through social media. The one-month response clock starts from the moment anyone in your organisation receives the request — even if it was never put in writing.

When responding to a SAR, you must not disclose personal data about other identifiable individuals unless they have consented or it is reasonable to disclose without consent. Redact names, contact details, and any information that could identify a third party. Use consistent redaction methods — black bars in PDFs, "[REDACTED]" markers in text — and log each redaction decision with your reasoning. This audit trail protects you if the requester complains to the ICO.

Missing a SAR deadline is a breach of UK GDPR Article 12. The requester can complain to the ICO, which can issue reprimands, enforcement notices, or fines up to £17.5 million (or 4% of annual turnover). In practice, the ICO issued over 8 reprimands and enforcement notices for SAR handling failures in recent years. SAR complaint volumes rose 23% year-on-year. Beyond regulatory action, a missed deadline in an employment tribunal context can damage your position and credibility with the tribunal.

dsartracker is built by Crocker Digital Ltd (Company No. 17008789), a UK software company. We identified that UK SMEs have no practical tools for handling SARs — enterprise platforms cost £10,000+ per year while SMEs cobble together responses in Word and email. dsartracker fills that gap with a step-by-step tracker built specifically for employers without a dedicated DPO.

The free SAR deadline calculator and exemption checker will always be free. The full SAR workflow — deadline tracking, guided exemptions, document storage, and audit export — starts at £29 per month or £249 per year. Enterprise privacy platforms typically start at £10,000+ per year. dsartracker is built for SMEs, not enterprise privacy departments.

Your email address is the only data we collect at signup. It is stored securely and used solely to notify you about the dsartracker launch. We do not share your data with third parties. Our analytics use GoatCounter, which collects no personal data and uses no cookies. You can request deletion of your email at any time by contacting hello@crockerdigital.co.uk.

Even a single SAR can take 10-20 hours to handle properly when you factor in searching for data, checking exemptions, redacting third-party information, and drafting a compliant response. Without a structured process, you risk missing the deadline, over-disclosing sensitive information, or failing to document your search. dsartracker guides you through each step and creates the audit trail automatically — valuable whether you handle 1 SAR or 100.