Subject Access Requests - the cost to your business

What is a subject access request?

Individuals have a right to request access and receive a copy of their data held by an organisation. Where an individual requests to access this data, or to find out how or why it is used, this is referred to as a subject access request (“SAR”), or a data subject access request.

SARs are relevant to any individual or organisation that processes personal data. As they are generally free and can be made easily without reason, individuals can submit requests in moments, yet responding to SARs is not so easy, and can take considerable time, effort and resource for businesses.


Why are SARs becoming more common?

The right for individuals to access their personal data held by organisations is not new and was first introduced by the Data Protection Act 1984. However, in recent years they seem to have become more prevalent, and a survey conducted by EY Law Professionals found that 60% of respondents had seen an increase in SARs in 2022, and this is expected to continue. A number of factors appear to have driven the increased demand:

  • Ease – The General Data Protection Regulation (“GDPR”), introduced in 2018, has made it even easier for individuals to submit requests and access their data.
  • Awareness – There have been several recent high-profile requests made by public figures, and this has increased public awareness and understanding.
  • Additional benefits – There has also been an increase in requests stemming from employment disputes, with employees seeking to access early disclosure of documents or leverage in settlement discussions.

The above factors, combined with an ever data reliant and data conscious society, have resulted in a huge increase in SARs.


Why should you consider outsourcing SARs?

Not only have SARs become increasingly common, but the level of data processed and retained by organisations has also increased, which has resulted in SARs becoming far more complicated for organisations to process and manage. Organisations typically have to retrieve data from various platforms and databases, and with new forms of technology appearing in the form of artificial intelligence, this will only increase.

Most organisations do not possess dedicated SAR resources, meaning that staff are removed from their usual roles, at the expense of the daily duties and requirements of the organisation. Since complex SARs take a considerable time to process, the result is a high internal cost to the business. Some organisations have also found an increase in ‘bulk’ requests, which can make outsourcing integral to managing their legal obligation whilst also ensuring business continuity.

This is coupled with the requirement to respond within one month of receiving the request. Whilst extensions are possible to the one-month turnaround time, these must be justifiable, and the result is a labour intensive effort to meet the deadline.

As noted above, employee-related requests are increasingly common and make up approximately a third of requests (EY Law Survey 2022). Given the complexity of different employees’ personal data, coupled with important considerations regarding the applicability of exemptions, employee related requests are even more complicated. This is particularly the case if the context of the request is an employment dispute. Obtaining the correct advice and support in these instances is integral.


Why should you take SARs seriously?

The potential outcomes for failing to respond to a SAR properly include complaints made to the Information Commissioners Office, who may issue an fines or enforcement notice requiring certain action to be taken. Not only do such notices have a reputational risk associated with them, but individuals can also request that they receive compensation for failing to comply with the legislation. Whilst the level of damages awarded by the courts is relatively low, the costs associated with dealing with such a claim (particularly if there are many of them) may become very costly.


How can DMH Stallard help?

SARs will only become more frequent and more of a burden on organisations, regardless of how compliant your organisation is, and so ensuring you are prepared and have the appropriate resource is key.

At DMH Stallard, our commercial and employment team are experienced in providing expert advice and can review and assist with all aspects of your SARs.

If you would like any further information, or assistance, please contact us.

About the authors

about the author img

Georgie Swift

Trainee Solicitor

Supports the Commercial team on a variety of matters and is currently training to qualify as a Solicitor.
about the author img

Rebecca Leeves

Senior Associate

Advises on all areas of Commercial Law and business matters with experience gained across a broad range of industry sectors including education and IT.

Stay connected, sign up for updates

Stay connected

Recent articles


Corporate leadership in addressing modern slavery risk

In this episode, we delve into the pressing issue of modern slavery and the broader context of ESG for organisations.



International trade and trading across borders; the financial and legal implications

In this episode, we delve into the risks and opportunities confronting businesses involved in global trade or aspiring to expand their international footprint amidst the current economic climate.


Media spotlight

DMH Stallard noted as one of the best firms for championing women writes about the number of female professionals ranked in leading legal directory Legal500, with DMH Stallard holding 14 rankings across 20+ departments in the latest edition.



Problems with selling your business and minority shareholders

Drag Along rights… No, not a date with Ru Paul, but a crucial and little-known clause outside legal circles.