August 2021

Subject Access Requests – an Osiris Overview

What is a subject access request, and why does it matter to my organisation?

At Osiris IT, we often work with our clients to assist in Subject Access Requests. Here’s our handy explainer on what they are and what you can do to prepare for any SAR you might experience.

What is a SAR?

A subject access request, SAR for short, is a request from an individual to your organisation asking for access to the personal information you hold about them. This is a legal right everyone in the UK has under the Data Protection Act, which can be exercised at any time.

Why do I need to prepare for SARs?

Even if your organisation does not receive SARs regularly, you should be prepared to process these requests to comply with your legal obligations under the Data Protection Act 2018. Thinking ahead is key to achieving efficiency when dealing with SARs and will improve the confidence and transparency of your organisation.

What steps should we take?

Here are Osiris IT’s top tips for handling SAR requests:

Manage your data

Keeping your IT footprint small and organised with a simple, well-structured file storage system will make handling SARs easier and make your data easier to stay on top of. Be consistent and standardise naming conventions, for instance, when it comes to electronic documents.

Know what you have

Often clients can be surprised by the volume of data SAR requests turn up. You must know what data you have on individuals and where this is so that it can be kept up to date and deleted in accordance with retention policies. Remember, SAR searches also cover communications such as emails and instant messages.


You should ideally have a number of staff trained to handle SAR requests, particularly with awareness of what data to omit when sorting the data. Appointing a single point of contact (SPOC) for overseeing SAR requests is generally seen as good practice; this usually is your registered Data Protection Officer if you have one.


A SAR from any individual you work with will bring up any communication that contains their personal data, and all your employees need to know this. Emails sent in anger or written unprofessionally about the subject can often be a source of embarrassment and are easily avoided with good education.

Have a retention policy

It’s crucial you have retention and deletion policies for the personal data you process and that these are documented well. This helps ensure that you aren’t keeping information longer than you need, potentially reducing the amount of information you need to review when responding to a SAR. Working with us on this, we can often automate this process for clients.

Understand your systems

You’ll find it challenging to deal with SARs if your systems do not enable the easy location and extraction of personals data. This is often the case for proprietary CRMs. You should think ahead and ask if your systems can support SARs, and consider this when looking into new information management systems. If in doubt, check with us.

For more information, please get in touch with our data protection specialists, or read the detailed guidance from the ICO here.

Contact us today to get a free consultation

Get in touch