Subject Access Requests (SARs)- Set the the time, Action the Right, Respond Straightaway!

Set the time, Action the Right, Respond Straightaway!

At the end of each week Data Protection Management Consultants Get Ahead!® focuses on a Data Protection or Information Governance area of compliance, that draws attention to newsworthy articles,  and provides tips on how businesses and organisations can stay ahead in data protection and information governance compliance.

This week we are focusing on Subject Access Requests (SARs) 

Last month the Information Commissioner's Office (ICO) reported the action that was taken against a director of a care home for failing to respond to a Subject Access Request (otherwise known as a SAR). You can read a summary of the case on the ICO's website found on this link: DPMC's Get Ahead! highlighted case this week.

In a nutshell, despite receiving a valid SAR from the requestor in April 2023, the nursing home failed to comply with the requirements to manage such requests in accordance with Article 15 of the UK GDPR and the ICO's guidance (A guide to subject access | ICO). A complaint was lodged against the nursing home by the complainant, and last month the Director of the nursing home was found guilty of failing to respond to the relevant SAR. 

In addition to being found guilty in the magistrate's court, the director received a hefty fine and additional costs for the conviction.

We've highlighted this case because it is a well-known fact, to many organisations' SARs can often be perceived as time consuming, unwarranted and what we describe as 'underlooked' by organisations.

Why not use Data Protection Management Consultants Get Ahead!® backronym framework to help your organisation stay focused when managing SARs: 

1. Set the time

2. Action the Right 

3. Respond  

4. Straightaway! 

   
   

   1. So firstly, as soon as you receive a SAR, ensure you start the clock and set the time, know when the deadline for responding to the SAR is!

   2. Secondly, start taking action by 

   a. ensuring the requestor has been verified, that's the data subject and their representative (IF they have one);

   b. assess whether you have enough information from the requestor to understand whether you hold the information requested or not; 

   You must seek verification and clarification from the requestor, if in doubt with a. and b.

   
   

   3. Once you have identified whether or not you can progress the SAR,  respond without delay; ensure you have a streamlined process in place to manage the SAR BEFORE the deadline. If you don't Data Protection Management Consultants Get Ahead! can help you achieve this, just get in touch with us at support@dpmconsultants.co.uk.

   
   

   4. Ensure your process leaves no room for unreasonable delays and send the response to the requestor straightaway (before the set deadline); let the requestor know straightaway (before the set deadline) if you require more information from them, or if you need to extend the deadline in accordance with the provisions of the ICO's guidance.

We hope you found this article helpful. If you would like more advice and guidance on your data protection obligations, please do get in touch with us! Get Ahead with Data Protection Management Consultants by contacting us at support@dpmconsultants.co.uk.

This SARS backronym and definition were created by Data Protection Management Consultants Get Ahead! and first published on the 24th October 2025.

You are welcome to reference or use this backronym in your own materials, provided that full credit is given to Data Protection Management Consultants Get Ahead! as the original source.

© 2025 Data Protection Management Consultants Get Ahead!® All rights reserved.