The Subject Access Request Process: How UK SMEs Should Set It Up

Most UK SMEs handle their first subject access request (SAR) from scratch — someone in HR cobbles a response together in Word, hopes they have covered everything, and moves on. That works once. It does not scale, and it leaves no proof that the request was handled correctly.

The fix is a defined process: a repeatable workflow that anyone in the business can follow, that produces the same audit trail every time, and that does not depend on one person remembering the rules. This guide sets out what that process looks like.

This guide covers the SAR handling process for UK employers under UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025. It is not legal advice.

Why a process beats a one-off response

Under UK GDPR Article 15, every individual whose data you hold can ask for a copy of it. For an SME, requests are infrequent but unpredictable — and when one arrives during a dispute, the pressure is real. A documented process gives you three things a one-off response cannot:

• Consistency — every request is handled to the same standard, regardless of who picks it up.
• A deadline you cannot miss — the clock starts at receipt, and a defined intake step captures that date.
• An audit trail — if the ICO investigates, you can show what you searched, what you withheld, and when each step happened.

The seven-stage SAR workflow

1. Intake and logging

The process starts the instant a request arrives. Because a SAR can be made verbally or in any written form — no special wording required — front-line staff need to recognise one and escalate it. Log the receipt date, the requester, and what they have asked for. The receipt date is legally significant: it sets the deadline.

Owner: whoever receives requests first (reception, HR inbox, line managers). Output: a logged request with a date stamp.

2. Identity verification

Confirm the requester is who they claim to be before disclosing anything — releasing data to the wrong person is a breach. Request only proportionate evidence. If you reasonably need more information to verify identity or clarify scope, you can pause the response clock under the "stop the clock" provision introduced by the Data (Use and Access) Act 2025, section 76. Record when you asked and when you received the answer.

Owner: SAR handler (HR / data lead). Output: verified identity, clock-pause dates if applicable.

3. Deadline calculation

The standard response time is one calendar month from receipt (or from completed identity verification, if you stopped the clock). A two-month extension is available for complex or numerous requests, provided you notify the requester within the first month. Build the deadline into your tracker at this stage so it cannot be forgotten.

Owner: SAR handler. Output: a confirmed due date. Use the SAR deadline calculator and see Subject Access Request Time Limit UK.

4. Scoping and search

Define what to search and conduct a reasonable and proportionate search — the standard codified by the DUAA 2025, section 78. For an employee SAR that typically means the HR system, email, payroll, performance records, and disciplinary files over the relevant period. Record the systems searched, the date ranges, and the search terms — this log is your evidence the search was complete.

Owner: SAR handler, with IT support for system searches. Output: gathered data plus a documented search scope.

5. Exemption and redaction review

Before disclosing, check whether any data is exempt under the Data Protection Act 2018 Schedule 2, Part 4 (legal privilege, management forecasts, negotiations, and others), and redact third-party data under Article 15(4). This is the stage most likely to go wrong — over-disclosure and under-justified exemptions are both common ICO complaint triggers.

Owner: SAR handler, with legal input for complex cases. Output: a reviewed data set with documented exemption decisions. Work through it with the SAR exemption checker; see SAR Exemptions Explained and SAR Redaction.

6. Response assembly and dispatch

Assemble the covering letter: confirmation of processing, the data, the search scope, processing purposes, recipients, retention periods, exemptions applied, and the requester's rights. Dispatch securely and record the dispatch date.

Owner: SAR handler. Output: a dispatched, complete response. The letter structure is in Subject Access Request Response Letter; generate one with the SAR response letter generator.

7. Close-out and retention

Save the full file — the request, identity evidence, search log, exemption decisions, the response, and key dates. This is the compliance pack you produce if challenged. Set a retention period for the SAR record itself in line with your data retention policy.

Owner: SAR handler. Output: an archived, audit-ready file.

Assign roles before the request arrives

A process only works if people know their part before the pressure starts. At minimum, decide in advance:

• Who receives and recognises a SAR (front-line staff).
• Who owns the response end to end (a named SAR handler).
• Who provides IT search support and legal input for complex cases.

Document these roles in a short internal policy so there is no scramble when a request lands. See Subject Access Request Policy Template for a template you can adapt.

Where the process tends to break

• No intake step, so the receipt date is guessed and the deadline drifts.
• Search not documented, leaving no proof the response was complete.
• One person holds the whole process in their head, and it collapses when they are on leave.
• No close-out, so the audit trail is scattered across inboxes.

A repeatable workflow with named owners and a single file per request closes all four. Our step-by-step guide walks through a single SAR response from receipt to dispatch. If your team handles SARs often enough that a spreadsheet is creaking, DSAR Software for Small Businesses covers what a purpose-built tool adds.

Sources

• UK GDPR — Article 15 (right of access)
• Data (Use and Access) Act 2025 — Section 76 (time limits / stop the clock)
• Data (Use and Access) Act 2025 — Section 78 (reasonable and proportionate search)
• Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)
• ICO — Right of access (subject access) guidance