Changes introduced by the GDPR and the Data Protection Act 2018 have increased the time pressure on organisations that have to respond to Subject Access Requests (“SARs”).

Under the old regime, organisations had 40 days in which to respond, and could charge a fee of £10. Now, the response must be provided within a month, and fees can only be charged in exceptional situations.

So what can you do to make your life easier? There are some possibilities under the new legislation.

Can the time limit be extended?

Where the SAR is a complex request, or a multiple request, you may be able to extend your time for responding by up to two further months. You have to inform the individual, within one month of the receipt of the SAR, of the time extension and the reasons why the extension is necessary. This option should not be used as a matter of course, but only in exceptional situations. Bear in mind that the individual may choose to complain to the Information Commissioner about the extension – which could involve you in more wasted time and costs.

Can a charge be made?

If you can demonstrate that the SAR is “manifestly unfounded or excessive” then you can decline to comply with the SAR altogether, or to agree to comply only if the individual pays a reasonable fee that reflects your administrative costs in responding to the SAR. Again, this option should be used sparingly.

Is an exemption available?

There is some information that you are not required to provide in response to an SAR, including:

  • certain communications with your solicitors
  • confidential references
  • personal data relating to third parties
  • child abuse data, in certain circumstances.

Managing personal data

You can make your life easier by taking some simple steps when managing personal data. These include:

  • thinking carefully before you create data – for example, could you pick up the phone rather than sending an email? Could you anonymise the data?
  • only disseminating personal data to those who need to have it
  • being strict about where personal data is stored, so that you know where to go to when answering the SAR
  • applying your data destruction policies rigorously, so that you do not hold more personal data than is necessary.

Lupton Fawcett offers a half-day training course “Subject Access Requests under the GDPR – making your life easier” that deals with these issues in more detail. For further information contact Louise Connacher on 0113 280 2108.

Please note this information is provided by way of example and may not be complete and is certainly not intended to constitute legal advice. You should take bespoke advice for your circumstances.

Get In Touch Today!

Get In Touch Today!

Please complete this form to make an enquiry and we will get back to you as soon as we can.

Remember you can still call us on 0333 323 5292 or email us at

  • This field is for validation purposes and should be left unchanged.