How to deal with a subject access request

We've recently seen an increase in the number of advice firm requests we're getting on how to deal with subject access requests (SARs).

Graeme Stewart

Graeme Stewart

27 January 2021
So how should you go about dealing with a request when you receive one, and just what are your firm’s obligations?

First things first, what is an SAR?

An SAR is a request from an individual to obtain a copy of their personal data and other supplementary information from you. This right of access is a fundamental right for individuals.


  • Individuals can make SARs verbally or in writing, including via social media
  • A third party can make an SAR on behalf of another person
  • You cannot generally charge a fee to deal with a request
  • Responses should be sent without delay and within one month of receiving the request
  • The time limit can be extended by a further two months if the request is complex, or if you receive a number of requests from the individual
  • You should perform a reasonable search for the requested information
  • You should provide the information in an accessible, concise and intelligible format
  • The information should be disclosed securely.
  • You must provide the information unless an exemption or restriction applies, or if the request is ‘manifestly unfounded’ or ‘excessive’
(For more information on unfounded and excessive requests, the Information Commissioner's Office has put together this useful article: When can we refuse to comply with a request?)

What's expected of firms

The Information Commissioner's Office (ICO) expects firms to be prepared and to take a proactive approach so they can respond to requests in an effective and timely manner.

This means all staff in a client-facing role should be able to respond to an SAR when one is made. The ICO says by doing so this will help firms to:

  • comply with legal obligations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 and show how they have done so
  • streamline their processes for dealing with SARs, saving both time and effort
  • increase levels of trust and confidence in their organisation by being open with individuals about the personal data held about them
  • enable customers, employees and others to verify that the information the firm holds about them is accurate, and to tell them if it's not
  • improve confidence in their information handling practices; and
  • increase the transparency of what they do with individuals’ data.
If firms do want to take a proactive approach and get to a stage where they're ready to deal with an SAR, it may be worth role-playing a scenario where a client has made a request and testing your approach to dealing with this.

Some firms may also choose to appoint an SAR 'tzar' or 'champion', so that any client queries from any source may be channelled and dealt with efficiently.

The ICO has recently published detailed SARs guidance to help firms meet their legal requirements, and the guide offers comprehensive support as well as answers to common questions. 

Overall, the key things to consider when dealing with a request are:
  • Verify the identity and/or the permission or authority provided by the person making the request
  • Agree how the firm is going to present the data for a client; this could be sent securely via the post or online
  • Does the client have any special requirements, for example, providing the data in larger print, braille or through an audio format?
  • How long might the firm need to collect the data, and how easy is this to obtain?
Firms who have trained staff to recognise an SAR, and who have tested their response to such a request, will be in a better position to deal with a request when one is made.

Not only will this meet with ICO expectations, but it makes sense from a business perspective as well.
Start the discussion

Reading this blog counts towards your CPD!

Click here to add this session to your Paradigm CPD log.

20 December 2021

The public gets what the Public wants’ - or do they?

10 December 2021

Consultation Paper CP 21/36 “A new Consumer Duty”

7 December 2021

FCA’s Consumer Duty seems like a costly exercise for advisers

2 December 2021

Cyber crime update and reporting requirements

9 November 2021

Who will buy...?

1 November 2021

FCA: Remote working expectations for firms

18 October 2021

Remortgaging: Timing may not even matter this time

8 October 2021

Make stamp duty work for everyone

4 October 2021

Time to talk

1 October 2021

The FCA’s plans to tackle investment harm

27 September 2021

Lack of housing stock means brokers need to work client banks harder

3 September 2021

Let technology do the work in the fast-paced mortgage environment

2 September 2021

Time of new beginnings

18 August 2021

The proof of the pudding

12 August 2021

FCA pension transfer advice: don’t be confused by the label

12 August 2021

Time for a change?

26 July 2021

The engagement conundrum

26 July 2021

"I can’t do it all"

7 July 2021

Paused for breath

6 July 2021

SMCR part two - conduct questions

28 June 2021

Introducing a new us!

17 June 2021

Patches - what are they and why are they so important

17 June 2021

Multi-factor authentication - the simple solution

8 June 2021

SMCR part one - time to take stock

27 May 2021

A reminder of the 'good old bad old' days of protection tech

18 May 2021

Let's not consider any 'reduction' in these as some sort of victory

5 May 2021

Simple methods-calculating client profitability

30 April 2021

If the pandemic has been the mother of invention, it's time to carry on

22 April 2021

Opportunities abound in the market

19 April 2021

Early Movers are Shaping the 95% LTV Market

13 April 2021

Here's a conundrum

8 April 2021

Advice processes for vulnerable clients

29 March 2021

Vulnerable signs for advice firms to watch out for

5 March 2021

Lenders have not got to grips with how the pandemic impacted borrowers

2 March 2021

How Covid has changed our financial lives

2 March 2021

Supply needs to match demand

19 February 2021

Don't overlook product transfers

16 February 2021

Creating a plan for good CPD

5 February 2021

Stamp duty debate a black hole

2 February 2021

Industry wide levy is a head scratcher



APCC Member
Paradigm Consulting is a Member of the Association of Professional Compliance Consultants

Paradigm Consulting is a trading name of Paradigm Partners Ltd
Office address: Paradigm Partners Ltd, Paradigm House, Brooke Court, Wilmslow, Cheshire, SK9 3ND
Paradigm Partners Ltd is registered in England and Wales. No.09902499. Registered Office: As above

Paradigm Mortgage Services LLP
Office address: Wellington House, Starley Way, Birmingham International Park, Solihull, B37 7HB
Registered in England and Wales. Company No: OC323403. Registered Office: Paradigm House, Brooke Court, Lower Meadow Road, Wilmslow, SK9 3ND
Paradigm Mortgage Services LLP is a Limited Liability Partnership.

Paradigm Protect is a trading name of Paradigm Mortgage Services LLP
Office address: Wellington House, Starley Way, Birmingham International Park, Solihull, B37 7HB
Paradigm Mortgage Services LLP is registered in England and Wales. Company No: OC323403. Registered Office: Paradigm House, Brooke Court, Lower Meadow Road, Wilmslow, SK9 3ND
Paradigm Mortgage Services LLP is a Limited Liability Partnership.