What Is a Subject Access Request (SAR)?
A concise introduction to subject access requests under UK and EU data protection law, and how they fit into your compliance obligations.
Last updated: 2026-02-07
Subject Access Requests and Your Compliance Obligations
A subject access request (SAR) is the UK and EU terminology for what is more broadly known as a Data Subject Access Request (DSAR). It gives any individual the legal right to obtain a copy of the personal data an organization holds about them, along with details about how and why that data is being processed.
Under the UK GDPR, EU GDPR, and the Data Protection Act 2018, responding to SARs is a binding legal requirement. For organizations managing compliance across multiple regulatory frameworks, understanding SAR obligations is essential to maintaining defensible data governance practices.
The practical implications for your business are straightforward:
- SARs can come from anyone — employees, customers, former clients, even job applicants whose CVs you still hold
- No formal process is required by the requester — a simple email counts
- You have 30 calendar days to respond under UK and EU GDPR, with a possible extension for complex requests
- You must provide the data free of charge for the first copy
The challenge for most organizations is not understanding the right itself, but operationalizing it: knowing where all personal data lives, retrieving it efficiently, and redacting third-party information before disclosure.
For the full breakdown of SAR requirements, verification processes, and the complete list of information you must include in your response, visit boringdsar.com.
Build a Defensible SAR Process
Our DSAR Compliance Guide covers the end-to-end process for handling subject access requests — from intake through response — in a format designed for practical implementation.