Subject Access Request Policy Template: How to Create Your Internal SAR Process

Most UK SMEs handle their first SAR reactively — someone in HR googles "how to respond to a subject access request" and cobbles together a process on the spot. That works once. By the second or third SAR, the lack of a documented process creates inconsistency, missed deadlines, and gaps the ICO will question.

A written SAR policy solves this. It tells everyone in your organisation who handles SARs, what steps to follow, and when to escalate — before a request arrives.

This guide covers internal SAR policy creation for UK employers. It is not legal advice.

Why you need a written policy

The ICO's right of access guidance recommends organisations have a documented process for handling SARs. While not a strict legal requirement, having a policy:

• Proves accountability. UK GDPR Article 5(2) requires you to demonstrate compliance. A documented policy is evidence you take data rights seriously.
• Prevents missed deadlines. When everyone knows the process, requests do not sit in inboxes unrecognised.
• Ensures consistency. The same exemptions and redaction standards are applied regardless of who handles the request.
• Speeds up response. Staff who have handled a SAR before using a documented process respond faster the next time.

What your SAR policy should cover

1. Scope and purpose

State which requests the policy covers (all SARs under UK GDPR Article 15), who it applies to (all staff), and its purpose (ensuring compliant, consistent, and timely responses).

2. Recognising a SAR

Staff need to know that a SAR does not require magic words. Define what counts:

• Any request for personal data, in any format (email, letter, verbal, via solicitor)
• Does not need to mention "subject access request," "DSAR," or "Article 15"
• The clock starts when any employee receives it — not when HR logs it

Include examples: "Can I see my HR file?" is a SAR. "Send me everything you have on me" is a SAR. A solicitor's letter requesting "all personal data relating to our client" is a SAR.

3. Roles and responsibilities

Role	Responsibility
Any employee receiving a request	Forward to the SAR coordinator immediately (same day)
SAR coordinator (typically HR manager or DPO)	Log the request, acknowledge, coordinate the response
System owners (IT, finance, line managers)	Search their systems within the timeframe set by the coordinator
Decision-maker for exemptions	Apply exemptions with documented reasoning (may require legal input)
Sign-off authority	Final review and dispatch of the response

For SMEs without a DPO, the SAR coordinator is typically the HR manager or the person responsible for data protection compliance.

4. Step-by-step response process

Day 0-1: Receive and log the request. Calculate deadline using the SAR deadline calculator. Send acknowledgement letter. Determine if identity verification or clarification is needed.

Day 1-5: Issue identity verification request if needed (clock pauses under DUAA 2025, section 76). Identify all systems to search. Brief system owners on search scope and deadline.

Day 5-20: System owners search and extract data. SAR coordinator collates results. Identify third-party data requiring redaction. Assess exemptions — use the SAR exemption checker for guidance. Document each exemption decision with DPA 2018 paragraph reference.

Day 20-25: Draft response letter (use the SAR response letter generator for compliant templates). Internal review. If extending, notify the requester before the one-month deadline.

Day 25-30: Final sign-off. Dispatch response with proof of delivery. File the complete audit trail.

See Subject Access Request Time Limit UK for detailed deadline rules.

5. Exemptions procedure

Your policy should list the exemptions your organisation is most likely to use (see SAR Exemptions Explained for the full list) and require:

• Individual assessment of each document (no blanket exemptions)
• Written justification for each application
• Sign-off by the decision-maker
• A schedule of exemptions attached to the response

6. Third-party data and redaction

Define the redaction process: who redacts, what tools they use, how to handle situations where redaction is insufficient to prevent identification. Refer to UK GDPR Article 15(4) and the ICO's guidance on information about other individuals.

7. Record keeping

Specify what gets retained and for how long:

• The SAR request itself
• Acknowledgement and all correspondence
• Search scope documentation
• Exemption decisions with reasoning
• The response sent
• Proof of dispatch

8. Training and awareness

Annual training for all staff on recognising SARs. Specific training for the SAR coordinator and system owners on the response process. Record training dates for accountability.

Adapting this to your organisation

This template works for UK SMEs with 10-250 employees. Scale it up or down:

• Micro businesses (under 10 staff): The SAR coordinator and decision-maker may be the same person. Simplify the roles table but keep the step-by-step process.
• Larger SMEs (100-250 staff): Consider designating department-level search contacts and adding a legal review step for complex exemptions.

Review the policy annually or whenever there is a significant change in data protection law — such as the Data (Use and Access) Act 2025, which introduced the stop-the-clock mechanism and the "reasonable and proportionate search" standard.

For the complete response process, see How to Respond to a Subject Access Request from an Employee.

Sources

• ICO — Right of access (subject access) guidance
• ICO — Subject access request Q&As for employers
• Data (Use and Access) Act 2025 — Section 76 (time limits)
• Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)