SAR Requirements Under UK GDPR
UK GDPR subject access request requirements: data subject rights, response deadlines, identity verification, and penalties.
Last updated: 2026-02-08
Data Subject Rights That Trigger SARs
UK data subjects can submit requests to:
- Access all personal data you hold about them (Subject Access Request)
- Rectify inaccurate or incomplete data
- Erase personal data — the right to be forgotten
- Restrict processing while disputes are resolved
- Port their data in a structured, machine-readable format
- Object to processing based on legitimate interest or direct marketing
- Challenge automated decisions including profiling with legal effects
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
Response Deadline
30 calendar days from receipt (one calendar month). You can extend by an additional 2 months for complex or high-volume requests — but you must inform the data subject within the original 30-day period and explain the reason.
First copy of data must be provided free of charge. You can charge a reasonable fee for further copies or manifestly unfounded/excessive requests.
Identity Verification
Required before disclosing personal data. The ICO advises using reasonable measures proportionate to the sensitivity of the data. You should not demand excessive documentation for routine requests.
Penalties
- GBP 17.5 million or 4% of global annual revenue (whichever is higher) for the most serious violations
- GBP 8.7 million or 2% of global annual revenue for administrative violations
- No cure period
- Private right of action — individuals can sue for compensation under Section 167 of the Data Protection Act 2018
Enforced by the Information Commissioner's Office (ICO).
DSAR-Specific Exemptions
You may decline or limit a request when:
- Disclosure would adversely affect the rights and freedoms of others
- The request is manifestly unfounded or excessive
- Data is required for legal claims or legal obligations
- National security exemptions apply
Who This Applies To
Any business that processes personal data of UK residents — no size threshold, no revenue minimum. If you offer goods or services to people in the UK or monitor their behavior, the UK GDPR applies.
For the full UK GDPR guide, see boringgovernance.com.
Related Guides
- How to Respond to a DSAR — response process
- DSAR Response Deadlines — all deadlines
- GDPR SAR Software — tools for handling SARs
- DSAR Exemptions — when you can refuse