GDPR and Subject Access Requests: An Employer's Legal Duties
Published 25 June 2026
"GDPR" and "subject access request" turn up together constantly — but it is worth being precise about what the law actually requires, because the obligations sit on the employer, not the individual. When a SAR arrives, UK GDPR gives the requester a right and gives you a set of duties. Getting those duties wrong is what leads to ICO complaints.
This guide explains where the right of access comes from in UK GDPR, exactly what you must do, and what the 2025 changes mean for SMEs.
This guide covers employers' SAR obligations under UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025. It is not legal advice.
Where the right of access comes from
The right behind a subject access request is the right of access, set out in UK GDPR Article 15. It entitles any individual whose personal data you process to obtain:
- confirmation that you are processing their data;
- a copy of that personal data; and
- supplementary information — the purposes of processing, the categories of data, the recipients it has been shared with, how long you will keep it, and their other rights.
In the UK, Article 15 sits alongside the Data Protection Act 2018, which adds the exemptions and the detailed framework. "UK GDPR" is the retained version of the EU regulation as it applies domestically — the substance of the right of access is the same, and the 2018 Act fills in the UK-specific detail.
Your legal obligations as an employer
When a SAR lands, UK GDPR imposes a specific set of duties. You must:
Respond within the time limit. The default is one calendar month from receipt, extendable by a further two months for complex or numerous requests if you notify the requester within the first month. The deadline rules live in Subject Access Request Time Limit UK, and you can calculate yours with the SAR deadline calculator.
Respond free of charge. A SAR is free. The old £10 maximum fee under the Data Protection Act 1998 was abolished when UK GDPR took effect on 25 May 2018. There are narrow exceptions — see Can You Charge for a Subject Access Request?.
Recognise the request however it arrives. A SAR does not need to be in writing or use any magic words. The ICO confirms it can be made verbally, by email, by letter, or via social media — to anyone in your organisation.
Provide the supplementary information, not just the data. Omitting the purposes, recipients, retention periods, and rights leaves the response incomplete under Article 15.
Only refuse in narrow circumstances. You can refuse a request that is "manifestly unfounded or excessive." (An earlier draft of the 2025 reforms proposed "vexatious or excessive," but the enacted Data (Use and Access) Act 2025 retained the existing UK GDPR wording.) Refusal is the exception, and you must explain it and the right to complain.
What the 2025 changes did
The Data (Use and Access) Act 2025 (DUAA) amended UK GDPR rather than replacing it. The Act received Royal Assent on 19 June 2025, with provisions commenced in stages — most of the data-protection changes took effect from 5 February 2026. Two changes matter most for SARs:
"Stop the clock." Section 76 amended UK GDPR Article 12 to introduce an "applicable time period," letting you pause the response clock when you reasonably need more information to verify identity or clarify the scope of the request. The clock restarts once the requester responds.
"Reasonable and proportionate" search. Section 78 codified that searches in response to a request need only be reasonable and proportionate — you are not obliged to conduct an exhaustive search regardless of cost or effort. This puts a long-standing ICO and case-law position onto a statutory footing.
Both changes broadly help employers, but they have to be applied correctly — pausing the clock without documenting it, or claiming a search was proportionate without recording what you actually did, undoes the benefit. For the full deadline mechanics see Subject Access Request Time Limit UK.
Exemptions: what UK GDPR lets you withhold
UK GDPR does not require you to disclose everything. The Data Protection Act 2018 sets out exemptions in Schedule 2, Part 4 — including legal professional privilege, management forecasts, and negotiations — and Article 15(4) lets you redact third-party data where appropriate. Each exemption has to be applied to specific data with a documented reason. SAR Exemptions Explained walks through each, and the SAR exemption checker helps you decide.
Where SMEs most often fall short
Most SAR failures are not deliberate — they come from treating a legal obligation as an informal favour. The recurring gaps are:
- Not recognising the request, so the deadline starts late or is missed entirely.
- Treating it as optional or trying to charge, when the response is mandatory and free.
- Disclosing the data but omitting the Article 15 supplementary information.
- No documented search, leaving no evidence the response met the reasonable-and-proportionate standard.
- Over-disclosing third-party data instead of redacting it.
The penalties for serious data protection failures are significant — the higher-tier UK GDPR maximum is £17.5 million or 4% of annual worldwide turnover, whichever is greater. SMEs are far more likely to receive an ICO reprimand than a fine, but reprimands are public and a missed SAR during a tribunal dispute can be costly in other ways.
Turning the law into a process
Knowing what UK GDPR requires is the first step; the second is applying it the same way every time. The Subject Access Request Response guide covers the response walk-through stage by stage, and the Subject Access Request Process guide covers setting up a repeatable workflow. For the complete employer guide, see How to Respond to a Subject Access Request from an Employee. If you handle SARs regularly, DSAR Software for Small Businesses explains what a purpose-built tool does that ad-hoc methods cannot.
Sources
- UK GDPR — Article 15 (right of access)
- UK GDPR — Article 12 (transparency and time limits)
- Data Protection Act 2018
- Data (Use and Access) Act 2025
- DUAA 2025 — Section 76 (time limits / stop the clock)
- DUAA 2025 — Section 78 (reasonable and proportionate search)
- ICO — Right of access (subject access) guidance
Handle your next SAR step by step
dsartracker guides UK employers through every stage of a subject access request — deadlines, exemptions, redaction, and the audit trail the ICO expects.
Related guides
The Subject Access Request Process: How UK SMEs Should Set It Up
How to set up a repeatable subject access request process for a UK SME — the workflow stages, who does what, and how to make every SAR defensible to the ICO.
Subject Access Request Response: A Step-by-Step Guide for UK Employers
How UK employers respond to a subject access request — the one-month deadline, ID verification, search scope, exemptions, and the audit trail the ICO expects.
Subject Access Request Redaction: What UK Employers Can and Can't Remove
How to redact third-party data and apply exemptions in SAR responses — what UK employers can remove, what they must keep, and how to document redaction decisions.