B
Boring DSAR

Subject Access Request Form: How to Create and Process SAR Submissions

How to create an effective SAR form for your organization. Essential fields, best practices, and how to process incoming requests efficiently.

Last updated: 2026-04-12

Why You Should Provide a SAR Form

You are not required to provide a subject access request form. Under the UK GDPR and EU GDPR, individuals can make a SAR in any format — a formal letter, a casual email, a phone call, or a message through social media. They do not need to use a specific form, cite any legislation, or even use the phrase "subject access request."

Disclaimer: This content is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the UK GDPR, the EU GDPR, and ICO guidance, as of the date of publication.

But providing a form is still one of the most practical things you can do for your DSAR process. Here is why.

It helps you collect the information you need upfront. When someone sends a free-text email saying "I want all my data," you often need to go back to them with follow-up questions: What name is your account under? What email address did you use? What date range are you interested in? A well-designed form captures this information at the point of submission, saving time on both sides.

It makes identification easier. A form can include fields for account numbers, customer IDs, or other identifiers that help you locate the requester's data quickly. Without a form, you may need to exchange several messages before you have enough information to start your search.

It creates a clear record. A form submission gives you a timestamped, structured record of exactly what was requested and when. This is useful for tracking deadlines, demonstrating compliance, and resolving any disputes about what was asked for.

It reduces ambiguity. Free-text requests can be vague. A form with clear fields and options helps requesters articulate what they want, which reduces back-and-forth and speeds up the response.

The Critical Rule

Providing a form is fine. Requiring someone to use your form is not. If an individual submits a valid SAR through any channel — email, letter, phone, social media, in person — you must process it regardless of whether they used your form. Your form is a convenience tool, not a gatekeeper.

The ICO has been explicit about this: organizations cannot refuse to process a SAR on the grounds that the person did not use a prescribed form. If you direct someone to your form and they say "I've already told you what I want in my email," that email is the SAR, and the clock is running.

Essential Fields to Include in Your SAR Form

A good SAR form collects enough information to locate the requester's data and process the request efficiently, without being so long or intrusive that it discourages people from using it.

Requester Identification

Full name (required). Include a field for current legal name and a separate field for any previous names they may have used (maiden name, name before deed poll, etc.). Your records may hold data under a different name than the one they use now.

Date of birth (recommended). Helps distinguish between individuals with the same name, particularly in larger organizations.

Contact details for response (required). An email address or postal address where you should send the response. Make clear that the response will be sent to this address and that it will contain their personal data — this prompts the requester to provide a secure and accurate address.

Account and Reference Information

Account number or customer ID (recommended). If the requester has an account with you, this is the fastest way to locate their records.

Email address(es) used with your organization (recommended). People often use different email addresses for different services. Asking which email addresses they used helps you search the right records.

Other identifying references (optional). Depending on your business, this might include order numbers, membership numbers, employee IDs, or case reference numbers.

Scope of the Request

Date range (optional). The requester is entitled to all their personal data regardless of date range, but offering a date range field can help both parties. Some people only want data from a specific period — for example, relating to a particular transaction or employment period. If they provide a date range, you can prioritize that data. If they leave it blank, you search everything.

Specific data or systems of interest (optional). Some requesters want everything. Others are looking for something specific — their email correspondence, their HR file, their CCTV footage from a particular date. Providing a field for this helps you understand their priority without limiting the scope of your legal obligation.

Type of request (optional but useful). A simple checkbox or dropdown asking whether the requester wants:

  • A copy of all personal data you hold about them
  • Specific categories of data (with a text field to describe)
  • Information about how their data is processed (supplementary information under Article 15)

This helps you understand what the person is actually after, which is useful for prioritizing your search effort.

Identity Verification

Proof of identity. You are entitled to verify the identity of the requester before releasing personal data. Your form should explain what identity documents you accept and how to submit them. Common options include:

  • A copy of a government-issued photo ID (passport, driving license)
  • A recent utility bill or bank statement showing their name and address
  • Verification through their existing account (for example, submitting the request while logged in)

The level of verification should be proportionate to the sensitivity of the data and the risk of disclosing it to the wrong person. If a customer submits a SAR through their authenticated account, you probably do not need a passport copy. If someone contacts you out of the blue claiming to be a former customer, you will need more verification.

For a detailed guide on proportionate identity verification, see our DSAR identity verification guide.

Submission Method

How to submit the form. Provide clear instructions for submitting the completed form. Options include:

  • An online web form (the most efficient option for most organizations)
  • Email submission to a designated address (for example, [email protected])
  • Postal submission to a specific address
  • In-person submission at your premises

If you offer an online form, make sure the submission is encrypted and that the data is stored securely. If you accept email submissions, consider providing a secure upload link for identity documents rather than having people email copies of their passport.

Best Practices for Online SAR Forms

An online form is the most efficient way to receive and process SARs. Here is how to build one that works well.

Keep It Short

The form should be completable in under five minutes. Every unnecessary field is friction that discourages use. Stick to the essential fields listed above and resist the urge to add questions that serve your curiosity rather than the requester's rights.

Use Plain Language

Avoid legal jargon. Instead of "Data Subject Access Request pursuant to Article 15 of the UK GDPR," use "Request a copy of your personal data." The people filling out this form may not be familiar with data protection terminology, and they should not need to be.

Explain Why You Are Asking

For each field, provide a brief explanation of why the information is needed. For example: "We ask for your date of birth to make sure we locate the correct records, especially if other people share your name." This builds trust and increases form completion rates.

Confirm Receipt Automatically

When someone submits your online form, send an automatic confirmation email that includes:

  • Confirmation that their request has been received
  • The date of receipt (this is when the one-month clock starts)
  • What happens next (identity verification, expected timeline)
  • A reference number for tracking

This acknowledgment is not a legal requirement, but it is good practice and reduces follow-up inquiries.

Make It Accessible

Your SAR form must be accessible to people with disabilities. This means:

  • Proper form labels and ARIA attributes for screen readers
  • Sufficient color contrast
  • Keyboard navigability
  • Clear error messages
  • An alternative method for people who cannot use online forms (postal or email)

If your form is inaccessible, some individuals will be unable to exercise their right of access through your preferred channel. Provide alternatives.

Best Practices for Paper SAR Forms

Some organizations still need to offer a paper form option, either because their customers prefer it or because they operate in contexts where online access is not universal.

Keep the layout clean and readable. Use a clear typeface, adequate font size (minimum 12pt), and enough space for handwritten responses.

Provide clear instructions. At the top of the form, explain what a SAR is, what the form is for, where to send it, and what identity documents need to be included.

Include a return address. Pre-print your postal address and, if applicable, a freepost address. Making it easy to return the form increases the likelihood that people will use it.

Consider a prepaid return envelope. If you mail the form to someone, including a prepaid return envelope removes a barrier to submission.

How to Process Incoming SAR Forms Efficiently

Receiving the form is only the first step. Here is how to handle incoming submissions systematically.

1. Log the Request Immediately

Record the date of receipt, the requester's details, and the deadline. Your one-month clock starts when you receive the form, so accurate logging is essential. Use a tracking spreadsheet, a ticketing system, or a dedicated DSAR log — whatever works for your organization's size and volume.

2. Acknowledge Receipt

Send a confirmation to the requester within one to two business days. Confirm what you have received, provide a reference number, and outline the next steps (identity verification if needed, expected timeline).

3. Verify Identity

If the requester's identity needs to be verified, request documentation promptly — ideally the same day you receive the form. Do not wait. The ICO takes a practical view that the clock can effectively start from when verification is received, but only if you request verification without delay.

4. Begin Your Data Search

Start searching your systems as soon as you receive the form, even if identity verification is still pending. You can compile the data while waiting for verification, and then release it once identity is confirmed. This approach ensures you do not waste time if verification takes a few days.

5. Compile, Review, and Redact

Gather all personal data from all relevant systems. Review for third-party data that needs to be redacted, legally privileged material that is exempt, and any other applicable exemptions. Prepare the supplementary information required under Article 15.

6. Send the Response

Provide the response securely within the one-month deadline. If you are sending by email, consider using an encrypted file or a secure download link. If by post, use recorded delivery. Confirm with the requester that the response has been sent and how to access it.

7. Close and Record

Once the response has been sent, record the completion date, what was provided, and any data that was withheld (with the exemption relied upon). Retain this record as evidence of compliance.

Tips for Making the Form Accessible and Clear

Translate the form if needed. If you serve customers or employ people who speak languages other than English, consider providing the form in those languages.

Offer multiple channels. Not everyone can or will use an online form. Offer at least two submission methods — for example, an online form and an email address.

Do not hide the form. Put a link to your SAR form in your privacy policy, on your contact page, and in any page that discusses data rights. If people cannot find the form, it does not serve its purpose.

Test the form. Have someone unfamiliar with data protection attempt to complete the form. If they struggle, simplify it.

Review the form regularly. As your data processing activities change, update the form to reflect new systems, categories of data, or submission methods.

References

Last reviewed: April 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.

Related Guides