Subject Access Request (SAR) Procedure template
A subject access request (SAR) procedure is the written process your team follows when someone asks for a copy of the personal data you hold about them — how to recognise the request, who owns it, how to verify identity, where to search, what to redact, and how to respond within one calendar month.
SARs arrive without warning, in any words, through any channel. A line in a complaint email or a comment to a shift manager counts just as much as a formal letter, and the deadline runs whether or not the right person spots it. The recognising-and-routing step matters as much as the searching.
This template gives you the complete procedure: recognition examples for staff, logging and identity checks, a systematic search, third-party redaction, and the response and record-keeping steps.
Full text, ready to adapt.
Highlighted fields are placeholders — replace them with your organisation's specifics. A starting point, not legal advice.
Subject Access Request (SAR) Procedure
SOP · Data & Privacy
1. Purpose and scope
This procedure sets out how {{org.name}} handles requests from individuals for access to their personal data. It applies to requests from anyone — customers, current and former staff, job applicants, suppliers — received by any member of staff through any channel.
2. Recognising a SAR
- Any request for a copy of someone's own personal data is a SAR: "send me everything you hold on me", "I want a copy of my file", "what information do you have about my account?"
- It does not need to use the words "subject access request", mention UK GDPR, or be in writing — verbal requests count.
- It can arrive by email, letter, phone, social media, review reply, or in person, addressed to anyone.
- Requests can come through a representative, such as a solicitor or family member — check their authority to act before releasing anything.
- If you are unsure whether something is a SAR, pass it to the SAR owner and let them decide.
3. Roles and responsibilities
- SAR owner ([name/role], deputy [name/role]): logs, runs, and signs off every request.
- Managers: pass anything that might be a SAR to the SAR owner the same working day.
- IT and system administrators: run searches across the systems they manage when asked.
- All staff: never ignore, delay, or answer a SAR themselves — route it.
4. Log, acknowledge, and verify
- 1Forward the request to the SAR owner the same working day it arrives.
- 2Log the date received — the response deadline is one calendar month from that date, not from when it reached the SAR owner.
- 3Acknowledge the request and confirm the deadline to the requester.
- 4Verify identity only if there is genuine doubt, asking for the minimum needed — do not use identity checks to buy time.
- 5If you genuinely cannot respond without clarifying what the requester wants, ask promptly and check ICO guidance on how clarification affects the deadline.
5. Search
- 1List every system that could hold the requester's data: [email, HR system, CRM, booking or till system, CCTV, shared drives, messaging tools, paper files].
- 2Search using their name, known variants, email addresses, and account or payroll numbers.
- 3Suspend routine deletion for anything in scope while the request is open.
- 4Gather results into a single secure working folder at [location], access-limited to those handling the request.
6. Review and redact
- 1Remove or redact other people's personal data unless they consent or it is reasonable to disclose it — take a considered view and record it.
- 2Consider any exemptions narrowly, and record which were applied and why.
- 3Check the material is intelligible — explain codes and abbreviations where needed.
- 4Prepare the supplementary information (purposes, recipients, retention, rights) — usually by enclosing or linking the privacy policy.
- 5Have the SAR owner review the final bundle before anything is sent.
7. Respond
- 1Send the response securely — [encrypted file, secure portal, or tracked post] — before the deadline.
- 2Include a plain-language covering note listing what is enclosed, any redactions or exemptions applied, and how to complain, including to the ICO.
- 3Record the date sent, the method, and exactly what was provided.
8. Records and review
The SAR log at [system/location] records every request: dates, identity checks, search scope, redaction decisions, and the response. Keep the response bundle for [period] in case of follow-up or complaint.
This procedure is reviewed [frequency, e.g. annually] and after any request that ran late or drew a complaint. Owner: [name/role]. Next review due: [date].
How to adapt this template.
Brief every customer-facing and management team on the recognition examples — the procedure fails at the front desk, not the back office.
Build the systems list in the search section by actually walking through where data lives, including legacy systems and archived mailboxes.
Name the SAR owner and a deputy who can cover leave — a one-calendar-month deadline does not wait for holidays.
Run a practice SAR on a volunteer staff member to time how long a real search takes.
Ask the SAR owner to read the ICO's right-of-access guidance before the first live request, not during it.
Turn this template into trained, proven behaviour
A policy in a drawer proves nothing. In TrainedTeam this template becomes assigned training with knowledge checks, e-signature acknowledgments, version history, and an audit-ready record of who completed what, when.
Subject Access Request (SAR) Procedure template FAQs
How long do we have to respond to a subject access request?
One calendar month from the day the request is received, extendable where a request is complex or you have received a number from the same person — check the ICO's guidance on how the extension works. The clock runs from receipt by anyone in the organisation, not from when the right person sees it.
Can we charge a fee for a SAR?
Usually no — responding is free of charge. A fee is only possible in limited circumstances, such as manifestly unfounded or excessive requests, and you cannot charge simply because the search is time-consuming. Check ICO guidance before charging anything.
Does a request have to say "subject access request" to count?
No. Any request by someone for a copy of their own personal data is a SAR, whatever words they use, whoever they say it to, and whether it is written or verbal. That is why staff training on recognition is part of this procedure.
What do we do about other people's data mixed into the records?
You must not disclose third parties' personal data unless they consent or it is reasonable to disclose it without consent. In practice that means redacting names and identifying details of others — colleagues, other customers — and recording the judgement you made.
Can we refuse a SAR?
Only on limited grounds — for example where a request is manifestly unfounded or excessive, or an exemption in the Data Protection Act 2018 applies. Apply these narrowly, record your reasoning, and tell the requester why you refused and that they can complain to the ICO.
Related templates
Data Protection Policy
Free UK GDPR data protection policy template: the principles in practice, staff handling rules, responsibilities, rights requests, and breach routing.
Privacy Notice for Employees
Free UK employee privacy notice template: the staff data you hold, why you use it, who sees it, how long you keep it, and workers' rights. Ready to edit.
Data Retention & Disposal Policy
Free UK data retention and disposal policy template: retention principles, a schedule by record type, secure disposal rules, and legal holds. Ready to edit.
Privacy Policy
Free UK privacy policy template: the data you collect, lawful bases, sharing, retention, individuals' rights, and ICO complaint details. Ready to edit.