Respond to a subject access request (SAR)

Handling SARs correctly is essential for compliance and client trust. This guide explains what solicitors need to do to meet UK GDPR requirements and safeguard privileged information.

31 Dec 2025

3 minute read

Anyone can ask for a copy of any personal data your practice holds on them. This is known as a subject access request (SAR).

You must respond to a SAR as soon as possible. The deadline to respond is within one month.

The one-month timeframe starts once you receive the SAR, or from when you receive any information you request to:

confirm the data subject’s identity
confirm that a third party is authorised to act on behalf of the data subject
collect a fee

Most of the time, you should respond to SARs for free. You can charge a reasonable fee for administrative costs if the request is manifestly unfounded or excessive, or if further copies of the same data are requested.

For more information, see the Information Commissioner's Office (ICO) SAR fees guidance.

Recognising a SAR

There’s no set way of making an access request. The person does not have to use a request form or call it an access request.

They can make a request for their data writing or verbally, to any person or part of your practice. A request can also be made through social media.

It is your responsibility to recognise a SAR, however the request is made.

If you’re not sure, check with the person that you’ve understood their request. This can avoid disputes later on.

All your staff should know:

how to identify a SAR
what to do when a SAR is made

When someone asks for access to their personal data, you must make reasonable and proportionate searches for any relevant data which you may hold.

Read the Information Commissioner’s Office (ICO) guidance on how to recognise a SAR.

Recording SARs

You’ll need to keep a record of the details of access requests.

It’s good practice to keep a log of any written requests as well as verbal requests made over the phone or in person.

How to respond

Before responding you need to check the identity of the person making the request.

You can ask for formal identification documents, but you should be reasonable and proportionate about what you ask for.

You do not need to ask for formal identification if you can use other information to verify who the person is.

You should remove any information about other people (third-party information) from the data they’ve requested.

When responding to the SAR you need to:

confirm that you’re processing their personal data
provide them with a copy of the personal data requested
give details of how the data is collected, used and disposed of

Provide a copy of their data

You must provide the requester with a copy of the data requested. The format for providing the data will depend on how it is requested.

If someone asks electronically (for example, by email), you must provide a copy electronically, unless they ask otherwise.

If the request is made by other means, you can send them a hard copy. For example, a printout or photocopy.

You should provide the information for free in an easily accessible format. It should be in a way that is easy for the requester to understand. You should:

explain any codes they would not know
write clearly in plain language
be transparent

You only have to provide the personal data, not the documents themselves. You can redact any information that belongs to other people.

Read the ICO's guide on how to supply SAR information.

Tell them how you use their data

You must let them know:

what category of data you hold. For example, sensitive (special) data
what it’s being used for
where you got it from
who it’s been disclosed to – particularly if it’s been disclosed internationally
how long you’ll keep it for, or what criteria you use to decide how long you keep it
how it’s being kept safe (if transferred internationally or to third countries)
details of any automated decision making, including profiling. For example, to predict their behaviour

You must also tell them they have the right to: