I’ve received a subject access request. What should I do?
I’ve received a subject access request (SAR) from a former client. Am I obliged to provide any documentation containing the client’s personal data?
No. Under the UK General Data Protection Regulation (GDPR), you are required to provide the personal data.
There is no obligation on your firm to provide full copies of documents or even those parts of documents containing the personal data.
As long as the personal data is provided, it can be extracted from the original documents and presented as part of a new document created for the purposes of responding to the subject access request.
Alternatively, it can be presented in its original format with any other information redacted where this is not the individual's personal data.
For more information, see our:
While every effort has been made to ensure the accuracy of the information in this article, it does not constitute legal advice and cannot be relied upon as such. The Law Society does not accept any responsibility for liabilities arising as a result of reliance upon the information given.
Have you got a practice question?
Call the Practice Advice Service on 020 7320 5675 or email email@example.com.
The Practice Advice Service is staffed Monday to Friday from 9am to 5pm.