Trustpilot
E-Sign Banner
ISO 27001 Certified
Welcome to Simply-Docs
Corporate
Employment
Health & Safety
Property
Samples & Free
Business
UK GDPR & Data Protection
Data Subject Access Requests
Download

Data Subject Access Request Policy and Procedure

BS.DAT.04

This Data Subject Access Request Policy and Procedure is an internal UK GDPR policy designed to help organisations and their staff recognise, manage, and respond to subject access requests (SARs) in a consistent and compliant way.

It explains the right of access, the stages involved in handling a SAR, and the different responsibilities of staff generally and those specifically authorised to deal with requests.

The document has been updated to reflect changes introduced by the Data (Use and Access) Act 2025, including the statutory requirement to carry out “reasonable and proportionate” searches for personal data.

What this policy is for

The right of access is one of the core rights under the UK GDPR. It allows individuals to ask what personal data an organisation holds about them, what it is doing with that data, and why, and to obtain a copy of their personal data.

This policy is designed to guide your organisation through that process from start to finish, including recognising requests that may not be labelled as SARs and making sure they are passed to the appropriate person, such as a Data Protection Officer where one is appointed.

What the policy covers

  • how to recognise a SAR, including requests made orally or in writing;
  • what to do when a SAR is received;
  • identity checks and clarifying the scope of a request;
  • fees, time limits, and the information that must be provided;
  • locating personal data across filing systems;
  • refusing to respond and the exemptions to the right of access; and
  • implementation, review, and compliance within the organisation.

Built for internal use

This is an internal policy rather than a customer-facing document. It is intended to work alongside an existing Data Protection Policy, while your Privacy Notice should explain your use of personal data to data subjects.

Where you want a separate document explaining data subject rights in more detail, without overloading your Privacy Notice, a Data Subject Rights Policy may also be useful.

Helps you manage the practical search process

A key part of the policy deals with locating personal data in response to a SAR. For some organisations this may be straightforward, but where data is held across multiple systems or filing locations, a clear internal process is important to help ensure a complete response.

The policy therefore includes a section focused on finding relevant information and documenting where it may be held. This is particularly helpful when carrying out the “reasonable and proportionate” searches now reflected in legislation.

For broader practical guidance on recognising SARs, what to provide, requests made on another person’s behalf, and dealing with data about others or data held by processors, see the Data Subject Access Request Guidance Notes. You may also want to use this policy alongside the SAR Letter - Acknowledgement, SAR Letter - Fee and or Additional Time, and SAR Letter - Receipt of Additional Information or Proof of Identity.

Data Subject Access Request Policy and Procedure is part of Business . Just £38.50 + VAT provides unlimited downloads from Business for 1 year.

Download
Business Buy Only £38.50 + VAT!
Unlimited Downloads for One Year
No Auto-Renewal
All Data Subject Access Requests
All UK GDPR & Data Protection

Simply-4-Business Ltd Registered in England and Wales No. 4868909, 20 Mortlake High Street, Mortlake, London SW14 8JN

Trustpilot
Top