neart.ai
EcosystemStoryHow We BuildPricingBlog
Try Inspected →
neart.ai
EcosystemStoryHow We BuildBlog

Ní neart go cur le chéile

A SaltCore Group Limited company

© 2026 neart.ai · SaltCore Group Limited. All rights reserved.

Compliance & Security

How to Handle a Data Subject Access Request, Step by Step

25 February 20254 min read

## The short answer


When someone asks for a copy of the personal data you hold about them — a "subject access request", or SAR — you must respond, usually within one calendar month, normally free of charge, and provide both a copy of their data and certain explanatory information. A SAR can arrive by any means: an email, a phone call, a social media message, or a letter. It does not have to mention GDPR or use the phrase "subject access request" to count. Recognising one quickly is half the battle.


Getting this right protects you from complaints and shows customers you take their rights seriously. Getting it wrong — ignoring the request, missing the deadline, or over-sharing — is one of the most common sources of data protection complaints.


## Step 1: Recognise and log the request


The moment any team member receives what might be a SAR, it should be logged and the clock started. Train front-line staff to spot phrases like "send me everything you have on me" or "what data do you hold about me". The one-month deadline runs from the day you receive the request, so internal delays eat into your time.


## Step 2: Verify identity


You are entitled — indeed obliged — to confirm the requester is who they say they are before releasing data. Ask for reasonable proof of identity, proportionate to the sensitivity of the data. Do not use verification as a stalling tactic; if you need ID, request it promptly, because the clock can pause only until you receive the information you reasonably need.


## Step 3: Clarify the scope if needed


If you process a large amount of data about the person, you may ask them to specify what they are looking for — for example, a particular time period or type of record. You cannot force them to narrow it, but a reasonable clarification request can make the search manageable.


## Step 4: Search thoroughly


Look everywhere the person's data might live:


- CRM and customer databases

- Email inboxes and sent folders

- Order and billing systems

- Support ticket histories

- Spreadsheets and shared drives

- Backups, where reasonably accessible


A half-hearted search that misses an obvious system is a frequent cause of follow-up complaints.


## Step 5: Decide what to redact


You must provide the requester's own personal data, but not necessarily everything in a document. Redact:


- **Third-party personal data** where disclosing it would unfairly affect another person and they have not consented.

- **Information covered by an exemption**, such as certain legal privilege or confidential references in some cases.


The goal is to give the person their data without compromising others' rights.


## Step 6: Provide the response


Your response should include:


- A copy of the personal data itself, in an accessible format (commonly electronic if they asked electronically).

- The purposes of your processing.

- The categories of data and recipients.

- How long you keep the data, or how that is decided.

- A reminder of their rights to rectification, erasure, and to complain to the ICO.


## Timing and fees


The standard deadline is one month. You may extend by up to two further months for complex or numerous requests, but you must tell the person within the first month and explain why. Responses are normally free; you can only charge a reasonable fee or refuse where a request is "manifestly unfounded or excessive", and that bar is high — do not reach for it casually.


## Common pitfalls


- **Missing the deadline** because the request sat in a shared inbox.

- **Over-redacting** out of caution and effectively denying the person their own data.

- **Under-redacting** and leaking a third party's details.

- **Demanding excessive ID** as a delaying tactic.

- **Refusing because the request seems inconvenient** — inconvenience is not a lawful ground.


## Build a repeatable process


The organisations that handle SARs calmly are the ones that prepared before the first request arrived: a logging method, a search checklist of every system holding personal data, a redaction guide, and a response template. This is the same design-first discipline we apply when building enterprise-grade products at neart.ai — anticipate the obligation and make the response routine rather than a scramble.


## Practical takeaway


Create a one-page SAR playbook now: how to recognise a request, how to verify identity, a checklist of every place personal data lives, redaction rules, and a response template. Start the one-month clock the day the request lands. With a process in place, a SAR becomes a half-day task rather than a panic — and your customers see a business that respects them.

Related posts

Compliance & Security

Does GDPR Apply to My Small Business? A Plain-English Test

Compliance & Security

The Six GDPR Lawful Bases: How to Choose the Right One

Compliance & Security

Data Breach Reporting: When You Must Tell the ICO Within 72 Hours