The ICO defines a SAR as a simply a written request made by or on behalf of an individual for the information which he or she is entitled to ask for under section 7 of the Data Protection Act 1998 (DPA). The request does not have to be in any particular form.
Your procedures should include a provision for responding to Subject Access Requests taking into consideration the new rules:
You will not be able to charge in most cases for responding to a SAR
You will have a month instead of the previous 40 days
You can refuse or charge for requests that are excessive or unfounded
If you have a lot of SAR requests, you might struggle to comply with all of them within the deadline. You should consider whether it might be a good idea to dedicate some resources to develop a solution that allow individuals to self service, such as a portal online
GDPR comes into force on 25th May 2018
< 4. Individual Rights 5. Lawful basis for processing data >