How to Manage a Subject Access Request (SAR) Under UK GDPR in 2025
You have one month to respond to a Subject Access Request. Get it wrong, and face a £17.5m fine. Our guide shows you how.
• public
What is a Subject Access Request (SAR) Under UK GDPR?
Defining Personal Data and the Right of Access
A Data Subject Access Request represents one of the most fundamental rights under modern data protection legislation. When an individual submits a SAR, they are exercising their legal entitlement to discover what personal information an organisation holds about them, how it's being processed, and why it's being stored. This encompasses everything from basic contact details and transaction records to more complex data like behavioural analytics and communication logs.
Personal data extends far beyond simple identification details. It includes any information that can directly or indirectly identify a living person, such as:
- Basic contact details and transaction records
- Behavioural analytics and communication logs
- IP addresses and location data
- Online identifiers and opinions expressed about individuals
The scope of what constitutes personal data has expanded significantly in our interconnected world, making subject access requests increasingly complex to fulfil.
The right of access serves as a transparency mechanism, enabling individuals to verify the accuracy of their data and understand how organisations process their information. This right empowers people to make informed decisions about their privacy and provides a foundation for exercising other data protection rights, such as rectification or deletion.
Legal Basis: UK GDPR and Data Protection Act 2018
The legal framework governing Data Subject Access Requests stems from both the UK General Data Protection Regulation and the Data Protection Act 2018. These regulations establish clear obligations for data controllers and processors when handling personal data requests. Under Article 15 of the UK GDPR, individuals have the right to obtain confirmation that their personal data is being processed and to access that data along with supplementary information.
The Data Protection Act 2018 provides additional context and specific exemptions that may apply in certain circumstances. Together, these pieces of legislation create a comprehensive framework that balances individual privacy rights with practical business considerations. Organisations must comply with these requirements regardless of their size or sector, making SAR management a universal concern across the UK business landscape.
Non-compliance can result in significant penalties, with the Information Commissioner's Office empowered to issue fines of up to £17.5 million or 4% of annual worldwide turnover, whichever is higher. This regulatory framework ensures that data subject access requests are treated with appropriate seriousness and urgency.
Recognising and Validating a Subject Access Request
Different Formats of a SAR (Verbal, Written, Social Media)
Modern Data Subject Access Requests arrive through various channels, and organisations must recognise each format as potentially valid. Traditional written letters and formal emails remain common, but requests increasingly come through social media platforms, instant messaging services, and even verbal communications during phone calls or face-to-face interactions.
A valid SAR doesn't require specific wording or formal language. An individual might simply ask "what information do you hold about me?" during a customer service call, and this constitutes a legitimate request. Social media comments, direct messages, and posts mentioning the organisation can all contain subject access requests that require proper handling.
SAR Format | Examples | Key Recognition Points |
|---|---|---|
Written/Email | Formal letters, emails | Clear written request for personal data |
Verbal | Phone calls, face-to-face | "What information do you hold about me?" |
Social Media | Comments, DMs, posts | Mentions requesting personal data |
The challenge lies in ensuring all staff members across different departments can identify these requests when they occur. Customer service representatives, social media managers, and reception staff all need training to recognise and appropriately escalate potential SARs. Creating a culture of awareness helps prevent requests from being overlooked or mishandled due to their informal presentation.
Verifying the Identity of the Requester
Identity verification represents a critical balance between protecting personal data and facilitating legitimate access requests. Organisations must implement robust procedures to confirm that the person making the request is indeed the data subject or their authorised representative.
Identity verification typically requires:
- Photographic identification (passport or driving licence)
- Proof of address (utility bills or bank statements)
- Proportionate measures based on data sensitivity
The verification process should be proportionate to the sensitivity and volume of data involved. For simple requests involving minimal data, basic verification might suffice, while complex requests involving extensive personal information may require more thorough identity checks. Organisations should document their verification procedures and apply them consistently to avoid discrimination or unfair treatment.
Digital verification methods are becoming increasingly sophisticated, with some organisations implementing secure online portals where individuals can upload identification documents. However, these systems must themselves comply with data protection principles, ensuring that verification data is handled securely and retained only for as long as necessary.
Handling Third-Party Requests
Third-party requests introduce additional complexity into the SAR process, requiring careful consideration of authority and consent. When someone other than the data subject makes a request, organisations must verify both the identity of the requester and their authority to act on behalf of the data subject. This might involve powers of attorney, parental responsibility, or explicit written consent from the individual concerned.
Legal representatives often submit subject access requests on behalf of clients, particularly in employment disputes or personal injury cases. These requests require careful handling to ensure that confidentiality obligations are respected while facilitating legitimate legal processes. Organisations should establish clear procedures for handling legally privileged requests and consider seeking their own legal advice when necessary.
Special considerations apply when dealing with requests involving deceased individuals, where different rules may apply under the Data Protection Act 2018. Understanding these nuances helps organisations respond appropriately while protecting the interests of all parties involved.
Navigating the Timeline for Responding to SARs
The Standard One-Month Period
The one-month response timeframe for Data Subject Access Requests begins from the day the organisation receives the request, not from when they acknowledge it or begin processing it. This strict deadline requires efficient internal processes and clear accountability for SAR management. Organisations must prioritise these requests appropriately, ensuring that adequate resources are allocated to meet statutory obligations.
Calendar months, rather than working days, apply to this deadline, meaning that weekends and bank holidays don't extend the response period. This can create challenges during busy periods or when requests are received just before holiday seasons. Effective SAR management requires planning for these scenarios and maintaining appropriate staffing levels throughout the year.
The one-month period encompasses all aspects of the response, from initial verification through data compilation to final delivery. This tight timeframe emphasises the importance of having streamlined procedures and appropriate technology in place to facilitate efficient data retrieval and processing.
Extending the Time Limit for Complex or Numerous Requests
When Data Subject Access Requests involve particularly complex processing or large volumes of data, organisations may extend the response period by an additional two months. This extension must be justified by the complexity of the request rather than simply the inconvenience to the organisation. Common scenarios for extensions include requests spanning multiple systems, involving numerous third parties, or requiring extensive redaction to protect other individuals' privacy.
When extending SAR timelines:
- Notify the data subject within one month of the original request
- Clearly explain the reasons for the delay
- Provide an estimated completion date
- Ensure the extension is genuinely justified by complexity
The extension provision shouldn't be used as a default response to avoid the standard one-month deadline. Organisations must demonstrate genuine necessity for additional time and ensure they use the extended period productively to compile a comprehensive response.
Pausing the Clock for Clarification or Verification
The response timeline can be paused when organisations require additional information to process a Data Subject Access Request effectively. This might occur when the request is ambiguous, when identity verification is incomplete, or when clarification is needed about the specific data being sought. However, organisations cannot pause the clock indefinitely or use this provision to avoid their obligations.
When requesting clarification, organisations should be specific about what additional information they need and why it's necessary for processing the request. Vague requests for "more information" are insufficient and may be viewed as attempts to delay compliance. The pause continues until the requested clarification is provided, at which point the original timeline resumes.
Organisations should maintain clear records of any clarification requests and the responses received. This documentation helps demonstrate good faith efforts to comply with the request while ensuring that the final response is accurate and complete.
Conducting a Reasonable Search for Relevant Data
Identifying and Accessing Data Sources in 2025
The data environment has become increasingly complex, with personal information potentially stored across dozens of different systems and platforms. A reasonable search for Data Subject Access Request purposes must encompass traditional databases, cloud storage systems, email archives, and modern collaboration tools. Organisations need comprehensive data mapping exercises to identify all potential sources of personal information.
Essential data sources to search:
- Traditional databases and customer records
- Email systems and archives
- Cloud storage platforms
- Collaboration tools (Teams, Slack, etc.)
- Backup systems and archived data
- Mobile device data and applications
Cloud-based systems present particular challenges, as data may be stored across multiple geographic locations and managed by third-party providers. Organisations must understand their data flows and ensure they can access all relevant information within required timeframes. This often requires careful contract management with cloud service providers to ensure SAR obligations can be met.
Backup systems and archived data add another layer of complexity to the search process. While organisations aren't required to restore backup tapes specifically for a SAR, they must search reasonably accessible archives and consider whether backup data contains information not available elsewhere.
The Challenge of Teams, Slack, and Other Collaboration Tools
Modern workplace collaboration platforms like Microsoft Teams, Slack, and similar tools create significant challenges for Data Subject Access Request processing. These platforms generate vast amounts of conversational data, file sharing records, and interaction logs that may contain personal information about the requesting individual.
The real-time, informal nature of these communications makes them difficult to search and categorise effectively. Personal information might be scattered across multiple channels, private messages, and shared documents, requiring sophisticated search techniques to identify relevant content. Traditional keyword searches may miss important contextual information or fail to identify data that's been shared through images or voice messages.
Organisations must develop specific procedures for searching these modern communication tools, often requiring specialised software or manual review processes. The challenge is compounded when employees use these platforms for both work and personal communications, requiring careful consideration of what information is within scope for business-related SARs.
Strategies for Efficient Data Retrieval
Effective Data Subject Access Request processing requires systematic approaches to data retrieval that balance thoroughness with efficiency. Organisations should maintain current data inventories that map where different types of personal information are stored and how it can be accessed. This preparation significantly reduces the time required to locate relevant data when requests are received.
Automated search tools can help identify personal data across multiple systems, but they must be configured carefully to avoid missing relevant information or retrieving excessive amounts of irrelevant data. Regular testing and refinement of search parameters helps ensure these tools remain effective as data systems evolve.
Cross-departmental coordination becomes essential when personal data spans multiple business functions. HR departments, IT teams, customer service units, and legal teams must work together to ensure comprehensive data retrieval. Clear internal communication protocols help prevent important information from being overlooked during the search process.
Preparing and Providing the SAR Response
What Information Must be Included?
A comprehensive Data Subject Access Request response must include not only the personal data itself but also substantial supplementary information that provides context and transparency. The response should detail the purposes for which personal data is processed, the categories of data involved, and any recipients or categories of recipients who have access to the information.
Information about data retention periods helps individuals understand how long their information will be held, while details about the source of the data provide transparency about how it was originally collected. If the organisation engages in automated decision-making or profiling, the response must include meaningful information about the logic involved and the significance of such processing.
When personal data has been transferred to countries outside the UK, the response should include information about the appropriate safeguards in place to protect the data during transfer. This level of detail ensures that individuals have a complete picture of how their information is managed throughout its lifecycle.
Presenting Data Clearly and Accessibly
The format and presentation of Data Subject Access Request responses significantly impact their usefulness to the requesting individual. Information should be organised logically, with clear headings and explanations that help non-technical recipients understand the content. Avoiding technical jargon and providing plain English explanations makes the response more accessible to all requesters.
Data should be presented in commonly used formats that don't require specialised software to access. While organisations aren't required to create new systems specifically for SAR responses, they should ensure that the chosen format is reasonably accessible to the average person. Providing data in structured formats like tables or spreadsheets can help recipients navigate large volumes of information more effectively.
Visual presentation matters, particularly for lengthy responses involving multiple data sources. Clear section breaks, consistent formatting, and logical organisation help recipients find specific information they're seeking. Including a contents page or index for extensive responses demonstrates attention to the recipient's needs and improves the overall user experience.
Ensuring Secure Delivery of Personal Data
Secure delivery of Data Subject Access Request responses requires careful consideration of the sensitivity and volume of personal data involved. Electronic delivery methods should incorporate appropriate encryption or password protection to prevent unauthorised access during transmission. Many organisations use secure email services or dedicated portals that require authentication to access the response materials.
For physical delivery of hard copy responses, organisations should use tracked postal services or secure couriers to ensure the data reaches its intended recipient safely. The packaging should be discrete and not reveal the nature of the contents to prevent inadvertent disclosure of personal information.
Delivery methods should be agreed with the requester where possible, taking into account their preferences and any accessibility requirements they may have. Some individuals may prefer physical copies due to limited technical skills, while others may find electronic delivery more convenient. Accommodating reasonable preferences demonstrates good customer service while maintaining security standards.
When Can an Organisation Refuse a Subject Access Request?
Manifestly Unfounded or Excessive Requests
While the right to make a Data Subject Access Request is fundamental, it's not absolute. Organisations can refuse requests that are manifestly unfounded or excessive, but this refusal must be justified with specific evidence rather than general assertions about inconvenience. Manifestly unfounded requests might include those made with malicious intent or based on clearly false premises about what data the organisation holds.
Excessive requests typically involve unreasonable repetition within short timeframes or demands that would impose a disproportionate burden on the organisation's resources. However, the bar for refusing requests on these grounds is deliberately high, and organisations must demonstrate that normal business operations would be significantly disrupted by compliance.
When refusing a request on these grounds, organisations must clearly explain their reasoning and inform the individual of their right to complain to the Information Commissioner's Office. The refusal should be specific to the circumstances rather than relying on template responses that may not address the particular issues involved.
Balancing the Rights of Others: Third-Party Data
Data Subject Access Requests frequently involve information that relates to multiple individuals, creating tensions between different people's privacy rights. When personal data about the requester is inextricably linked with information about others, organisations must carefully consider how to respond without inappropriately disclosing third-party information.
Simple redaction may be sufficient in some cases, where names or identifying details can be removed while still providing meaningful information to the requester. However, more complex situations may require detailed consideration of competing rights and interests, potentially involving legal advice to ensure appropriate balance is maintained.
The assessment should consider the nature of the relationships involved, the sensitivity of the information, and any legitimate interests that different parties may have in disclosure or non-disclosure. This nuanced approach helps protect everyone's rights while still facilitating meaningful access to personal data.
Applying Exemptions Under the Data Protection Act 2018
The Data Protection Act 2018 provides specific exemptions that may limit the information disclosed in response to a Data Subject Access Request.
Common Data Protection Act 2018 exemptions:
- National security matters
- Crime prevention and detection
- Regulatory functions
- Legal professional privilege
- Health and social work records
However, exemptions must be applied narrowly and only to the extent necessary to protect the relevant interests.
Legal professional privilege represents one of the most commonly applied exemptions, particularly in employment or commercial disputes where legal advice has been sought. However, this exemption only applies to genuinely privileged communications and cannot be used broadly to withhold any information related to legal matters.
Organisations applying exemptions must document their reasoning carefully and be prepared to justify their decisions if challenged. The burden of proof lies with the organisation to demonstrate that the exemption applies and that withholding the information is proportionate and necessary.
Special Considerations for Different Types of SARs
Employee and Ex-Employee SARs
Employment-related Data Subject Access Requests present unique challenges due to the complex relationships and legal obligations involved in workplace settings. Current and former employees often have access to significant amounts of information about their employment, but they may not be aware of all the data sources where personal information about them is stored.
Employee SARs frequently arise in the context of grievances, disciplinary procedures, or employment tribunal claims. These requests require careful handling to ensure that legitimate legal interests are protected while still respecting the individual's right to access their personal data. Legal advice may be necessary to navigate the intersection between employment law obligations and data protection requirements.
Workplace investigations and disciplinary records present particular challenges, as they often contain information about multiple individuals and may be subject to confidentiality obligations. Organisations must balance transparency with the need to protect witnesses and maintain the integrity of investigative processes.
Is the timing of employee SARs suspicious?
This question often arises when requests coincide with disciplinary action or grievance procedures, but organisations cannot refuse legitimate requests simply because of their timing. However, they can consider whether the request is genuinely seeking access to personal data or attempting to gain tactical advantage in employment disputes.
Handling SARs Involving Children
Data Subject Access Requests involving children require additional safeguards to protect young people's interests while respecting their developing autonomy. The key consideration is whether the child has sufficient understanding to make the request independently or whether parental involvement is necessary.
Children's capacity to make SARs is assessed on a case-by-case basis, considering factors such as age, maturity, and the nature of the data involved. There's no specific age threshold in the legislation, but children aged 13 and above are generally presumed to have capacity unless there's evidence to the contrary.
Age Range | Presumption | Assessment Factors |
|---|---|---|
Under 13 | Parental involvement usually required | Maturity, understanding, data sensitivity |
13+ | Capacity generally presumed | Evidence to contrary, best interests |
16+ | Full capacity assumed | Exceptional circumstances only |
When parents or guardians make requests on behalf of children, organisations must consider whether disclosure would be in the child's best interests. This assessment becomes particularly important in situations involving family disputes or where the child's welfare might be compromised by disclosure of certain information.
SARs in the Context of Legal Disputes and Negotiations
Data Subject Access Requests made in anticipation of or during legal proceedings require particularly careful handling to balance legitimate access rights with the integrity of legal processes. These requests often seek information that may be relevant to ongoing disputes, but organisations cannot refuse them simply because litigation is contemplated or ongoing.
The timing and scope of legally-motivated SARs may indicate attempts to gain tactical advantage rather than genuine exercise of data protection rights. However, organisations must assess each request on its merits rather than making assumptions about motivation. Legitimate concerns about litigation privilege or prejudicing legal proceedings should be addressed through specific exemptions rather than blanket refusals.
Legal professional privilege provides some protection for confidential communications between organisations and their legal advisers, but this exemption has specific boundaries and cannot be applied broadly to all information related to legal matters.
Building a Robust SAR Management Procedure
Developing Internal Policies and Training
Effective Data Subject Access Request management requires comprehensive internal policies that clearly define roles, responsibilities, and procedures for all stages of the process. These policies should address request identification, verification procedures, data search protocols, and response preparation to ensure consistent handling across the organisation.
Developing effective SAR policies:
- Define clear roles and responsibilities
- Establish verification procedures
- Create data search protocols
- Design response preparation workflows
- Implement training programmes
- Regular policy review and updates
Regular training programmes help ensure that all staff members understand their role in the SAR process, from initial recognition of requests through to final response delivery. Front-line staff who interact with customers need particular attention, as they're often the first point of contact for access requests submitted through various channels.
Policy documentation should be regularly reviewed and updated to reflect changes in legislation, technology, and business processes. This ongoing maintenance helps ensure that procedures remain effective and compliant as the organisation evolves and the regulatory environment develops.
Importance of Record Keeping and DSAR Registers
Comprehensive record keeping provides essential evidence of compliance with Data Subject Access Request obligations and supports continuous improvement in SAR management processes. Detailed registers should capture key information about each request, including receipt dates, verification procedures, search activities, and response delivery methods.
These records serve multiple purposes, from demonstrating compliance during regulatory investigations to identifying patterns and trends that might indicate areas for process improvement. Regular analysis of SAR data can reveal common issues, resource bottlenecks, or training needs that might not be apparent from individual case management.
DSAR registers also provide valuable management information about the organisation's data protection performance and can help identify potential risks or areas requiring additional attention. This data-driven approach to SAR management supports more effective resource allocation and strategic planning.
Leveraging Technology for SAR Compliance
Modern technology offers significant opportunities to streamline Data Subject Access Request processing and improve compliance outcomes. Automated data discovery tools can help identify personal information across multiple systems more efficiently than manual searches, reducing the time and resources required for comprehensive data retrieval.
Dedicated SAR management platforms integrate various aspects of the process, from request logging and tracking through to automated reporting and deadline management. These systems help ensure that nothing falls through the cracks and provide clear audit trails for compliance purposes.
However, technology solutions must be implemented thoughtfully, with appropriate consideration for data security, integration requirements, and staff training needs. The most sophisticated system is ineffective if staff don't understand how to use it properly or if it doesn't integrate well with existing business processes.
Litigated: Supporting Effective SAR Management
How Litigated Provides Insights Into SARs and Litigation
Litigated offers invaluable insights into how Data Subject Access Requests intersect with employment tribunal cases and other legal proceedings. By analysing real tribunal decisions and case outcomes, the platform reveals common patterns in how SARs are used in legal contexts and what issues most frequently arise in disputes.
The platform's comprehensive database of employment tribunal cases provides practical examples of both successful and unsuccessful SAR management, helping organisations learn from others' experiences. These insights are particularly valuable for understanding how tribunals assess SAR compliance and what factors contribute to successful outcomes in data protection disputes.
Regular analysis of tribunal trends helps identify emerging issues and evolving expectations around SAR management. This forward-looking perspective enables organisations to adapt their procedures proactively rather than reactively responding to regulatory or legal developments.
Utilising Litigated Resources for Practical Guidance
Litigated provides a comprehensive suite of resources designed to support effective Data Subject Access Request management across different sectors and organisation types. Expert analysis breaks down complex legal requirements into practical, actionable guidance that can be implemented immediately to improve SAR compliance.
The platform's resource library includes detailed guides on specific aspects of SAR management, from initial request handling through to complex data retrieval challenges. Regular updates ensure that guidance reflects current best practice and regulatory expectations, helping organisations stay ahead of developing requirements.
Members-only content provides deeper insights into challenging SAR scenarios, with detailed case studies and expert commentary that goes beyond basic compliance requirements. This advanced guidance helps organisations handle complex requests more effectively and build confidence in their SAR management capabilities.
Addressing the Challenges of Modern Data Sources With Litigated
The evolving data environment presents ongoing challenges for Data Subject Access Request compliance, particularly around modern communication and collaboration tools. Litigated addresses these challenges by providing specific guidance on searching and retrieving data from platforms like Teams, Slack, and other contemporary business systems.
Expert analysis of recent tribunal cases reveals how courts are approaching SAR compliance in the context of modern data sources, providing practical insights into what constitutes reasonable search efforts. This guidance helps organisations understand their obligations while managing the practical challenges of comprehensive data retrieval.
The platform's focus on practical implementation helps bridge the gap between legal requirements and operational realities, providing actionable strategies for managing complex data environments effectively. This support is particularly valuable for smaller organisations that may lack extensive technical resources but still need to comply with SAR obligations.
Consequences of Failing to Comply With SARs
ICO Enforcement Actions and Fines
The Information Commissioner's Office takes Data Subject Access Request compliance seriously, with enforcement action representing a significant risk for non-compliant organisations. ICO investigations typically begin with complaints from individuals who feel their SAR has been inadequately handled, leading to detailed scrutiny of the organisation's procedures and response.
Financial penalties for SAR non-compliance can be substantial, with the ICO empowered to impose fines of up to £17.5 million or 4% of annual worldwide turnover. Recent enforcement actions demonstrate that the ICO is willing to use these powers, particularly in cases involving systematic failures or organisations that show little commitment to compliance improvement.
Beyond immediate financial consequences, ICO enforcement action typically requires organisations to make specific improvements to their data protection practices. These undertakings are monitored over time, creating ongoing compliance obligations that extend well beyond the original penalty.
Potential Legal Claims and Compensation
Individuals who suffer distress or damage due to inadequate Data Subject Access Request handling may pursue compensation through the courts under Section 168 of the Data Protection Act 2018. These claims can result in financial awards for both material and non-material damage, with courts increasingly willing to award compensation for distress caused by data protection failures.
Employment tribunal cases frequently involve SAR compliance issues, particularly where inadequate responses have hampered individuals' ability to pursue workplace claims effectively. Poor SAR handling can significantly damage an organisation's position in employment disputes and may result in additional compensation awards.
The reputational damage from high-profile legal action can extend far beyond immediate financial costs, affecting customer trust, employee morale, and business relationships. Effective SAR management helps protect against these broader business risks while demonstrating commitment to responsible data handling.
Conclusion
Managing Data Subject Access Requests effectively requires comprehensive understanding of legal obligations, practical challenges, and emerging trends in data protection. Success depends on robust procedures, appropriate technology, and ongoing commitment to compliance improvement. With proper preparation and the right resources, organisations can turn SAR compliance from a burden into an opportunity to demonstrate their commitment to privacy and transparency.
FAQs
What exactly constitutes a Data Subject Access Request?
A Data Subject Access Request is any communication where an individual asks to see what personal data an organisation holds about them. This includes formal written requests, emails, verbal inquiries, and even social media messages that clearly express this intent.
How quickly must organisations respond to a SAR?
Organisations must respond within one calendar month of receiving a valid request. This period can be extended by up to two additional months for complex requests, but the organisation must notify the individual of any extension within the original one-month period.
Can organisations charge fees for processing SARs?
Generally, no fees can be charged for Data Subject Access Requests. However, organisations may charge a reasonable fee if the request is manifestly unfounded or excessive, or if additional copies of information are requested beyond the first free copy.
What happens if a SAR includes information about other people?
Organisations must carefully balance the requester's access rights against other individuals' privacy rights. This may involve redacting third-party information or providing summaries rather than full disclosure, depending on the specific circumstances.
How do modern communication tools like Teams and Slack affect SAR responses?
These platforms create significant challenges for data retrieval due to their informal, real-time nature and the volume of data they generate. Organisations need sophisticated search strategies and may require specialised tools to comprehensively identify relevant information.
Can someone else make a SAR on my behalf?
Yes, third parties can make requests with appropriate authorisation, such as written consent, power of attorney, or parental responsibility. The organisation must verify both the requester's identity and their authority to act on behalf of the data subject.
How does Litigated help with SAR management challenges?
Litigated provides insights from real tribunal cases, showing how SARs intersect with legal proceedings. The platform offers practical guidance on complex scenarios and helps organisations understand best practices through analysis of actual case outcomes.
What are the consequences of poor SAR handling?
Consequences can include ICO fines of up to £17.5 million or 4% of annual turnover, individual compensation claims, employment tribunal issues, and significant reputational damage that affects business relationships and customer trust.
