GDPR 5. Subject Access Request

GDPR 5. Subject Access Request

October 24, 2017

The ICO defines a SAR as a simply a written request made by or on behalf of an individual for the information which he or she is entitled to ask for under section 7 of the Data Protection Act 1998 (DPA). The request does not have to be in any particular form.


 Your procedures should include a provision for responding to Subject Access Requests taking into consideration the new rules:


  • You will not be able to charge in most cases for responding to a SAR

  • You will have a month instead of the previous 40 days

  • You can refuse or charge for requests that are excessive or unfounded

If you have a lot of SAR requests, you might struggle to comply with all of them within the deadline. You should consider whether it might be a good idea to dedicate some resources to develop a solution that allow individuals to self service, such as a portal online


GDPR comes into force on 25th May 2018


< 4. Individual Rights     5. Lawful basis for processing data >



Please reload

Recent Posts

Please reload


Please reload


Please reload



Horsham, UK



+44 1403 801 001