Press "Enter" to skip to content

Subject Access Requests: Common Misconceptions Debunked

By Kieron JH – The Reasonable Adjustment

Subject Access Requests (SARs) are a key right under the UK GDPR and the Data Protection Act 2018. They allow individuals to request the personal data an organisation holds about them. But there’s a surprising amount of misinformation about how SARs work – even among the organisations receiving them.


📌 Myth #1: “You have to fill in our SAR form”

This is one of the most common – and most incorrect – myths. While an organisation can offer a standard form to help streamline requests, you are not required to use it.

A valid SAR can be made by:

  • Email
  • Social media (yes, really – if it clearly identifies you)
  • Even verbally – though having a record is always wise

What matters is clarity, not formality. If the organisation can identify you and understand that you’re asking for your personal data – that’s a valid SAR.


📌 Myth #2: “You have to tell us why you want your data”

Nope. Under UK GDPR, there’s no requirement for individuals to justify their request. You do not need to explain your reasons, your intentions, or what you plan to do with the data.

It’s your legal right – full stop.


📌 Myth #3: “We can just delete your data if you complain”

Some organisations wrongly believe they can avoid dealing with a SAR by deleting your data after you ask. Not only is this bad faith – it’s potentially unlawful.

If a SAR has been submitted and the organisation deletes data to avoid compliance, this could amount to deliberate obstruction. The Information Commissioner’s Office (ICO) takes this seriously – and so should they.


📌 Myth #4: “We have months to respond”

The time limit is clear: One calendar month from the date of receipt.

This can be extended by a further two months only if the request is complex – and the organisation must explain why.

Silence is not an extension. Delays without justification are non-compliance.


📌 Myth #5: “We can charge you a fee”

SARs are free by default. An organisation can only charge if:

  • The request is manifestly unfounded or excessive
  • You request multiple copies of the same data

Even then, the fee must be reasonable and proportionate.


🧾 What to Include in Your SAR

You don’t need to say much, but a solid SAR includes:

  • Your full name and contact details
  • A clear request for “all personal data held” or specific types of data
  • A preferred format (e.g. email)
  • Request internal correspondence – our SAR guide can help you with this!

Example:

Hello, I’m requesting access to all personal data your organisation holds on me, under Article 15 of the UK GDPR. Please respond within the one-month statutory deadline. I am happy to provide ID if required.


✅ Final Thoughts

SARs are one of the simplest rights to exercise – and one of the most commonly misunderstood. You don’t need a form. You don’t need a reason. And you don’t need to play by processes invented to delay you.

Know your rights. Log everything. And if they ignore you – the ICO is your next stop.

Kieron JH The Reasonable Adjustment [email protected]

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *