Part 1: Why Is My Organisation Struggling With Subject Access Requests?
Posted on in Data Protection
… And what to do about it
Subject access requests (‘SARs’) are one of the most common ways individuals exercise their data protection rights – and one of the most frequent sources of regulatory complaints to the Information Commissioner (‘ICO’).
Despite appearing straightforward on the surface, SARs often expose wider weaknesses in an organisation’s data protection framework. Recent ICO action shows that SAR compliance is a practical and operational requirement, not a theoretical one.
Insight series
Below, we highlight some of the key reasons organisations encounter difficulties with SAR compliance, framed around the questions we routinely explore with our clients.
Parts 2 and 3 of this insight series will explore some further SAR struggles we regularly see, and Part 4 will identify some clear action steps moving forward.
Do you really understand why the right of access exists?
- Everyone in the UK has a fundamental right to privacy. As organisations collect and use increasing volumes of personal data, transparency about that processing is essential.
- Individuals are entitled to be informed, in advance, how their personal data will be used so they can make an informed decision about whether to engage with a service or purchase goods.
- The right of access exists to reinforce that transparency after the point of collection and to check that their data is being processed lawfully and fairly.
If the ICO considers that you have failed (or are failing) to comply with data protection law or PECR, it has the power to take enforcement action. This may require you to take steps to bring your operations into compliance, or it may decide to fine you, or both.
Do you really understand what “processing” personal data means?
The ICO is clear that “processing” is broad. It includes collecting, storing, sharing, analysing, deleting, and increasingly, using AI tools on personal data.
Organisations often underestimate where personal data sits across their systems and third-party platforms. When a SAR is received, this lack of visibility leads to incomplete searches, delays, or missed data – all common grounds for a complaint which could easily be avoided.
Once a SAR is received, organisations must take care not to alter, erase, conceal or destroy relevant records in a way that prevents disclosure – deliberate obstruction can result in criminal enforcement action (see below).
Do all your staff understand what a SAR is and why it matters?
If staff are unaware of data rights, this can create real compliance risk and operational difficulties. SARs commonly surface issues where staff mistakenly assume information is not disclosable or can be “managed” informally.
For example, simply removing an individual’s name from an email does not mean the information is no longer disclosable. Personal data includes any information that relates to an identifiable individual, whether directly or indirectly. This can include email content, context, opinions expressed about an individual, or information that could identify someone when combined with other material.
Do your staff understand that data cannot be erased or concealed?
It is critical that staff, particularly managers and decision-makers, understand that personal data must not be blocked, deleted or concealed in an attempt to avoid disclosure under a SAR.
Directors and individuals within organisations can be found personally liable, facing both civil and criminal consequences, where records are intentionally blocked, erased or concealed to prevent disclosure.
By way of example, in the recent ICO prosecution of Jason Blake, he appeared at Beverley Magistrates’ Court in September 2025 after being found guilty of blocking, erasing or concealing records held by his care home following receipt of a SAR. He was ordered to pay a £1,100 fine, together with £5,440 in costs.
Do you have adequate SAR handling procedures?
Having a Data Protection Policy that refers to SARs is not enough. The ICO expects organisations to have practical, documented SAR procedures that are actually followed.
Common issues that we see include:
- Not knowing where to begin upon receipt of a SAR
- No clear internal ownership of SARs
- Inconsistent handling depending on who receives the request
- Failure to recognise SARs made informally.
A well-designed procedure should cover identification, verification, searches, extraction, exemptions, redactions and response. The procedure should be understood by all staff members.
Are you effectively diarising and managing deadlines?
Missing SAR deadlines remains one of the most common causes of non-compliance.
The ICO has made clear that where organisations allow backlogs to develop, particularly where SARs remain unanswered well beyond the statutory timeframe, this will be treated as evidence of systemic failure, not an isolated oversight.
For example, in its enforcement action against South Wales Police, the ICO identified a substantial backlog of SARs, including requests that were significantly outside the statutory time limits and, in some cases, very old. The ICO described this as evidence that the organisation had “failed and was failing to comply” with its data protection obligations and required wide-ranging remedial action as a result.
This enforcement action underlines a critical point for organisations: routinely missing SAR deadlines places you squarely in regulatory risk territory.
The ICO expects organisations to:
- Recognise SARs promptly
- Understand when the one-month deadline applies
- Properly justify any extensions
- Keep clear records of decision-making.
Consistent lateness is not viewed by the ICO as a technical or administrative issue. Instead, it is often treated as an indicator of weakened governance, insufficient resourcing, or ineffective processes for tracking requests and managing extensions.
Do you understand when you can extend the timeframe and why?
The statutory one-month deadline for responding to a SAR can only be extended to three months in limited circumstances, and organisations should be able to explain why the request could not reasonably be answered within the standard timeframe. Many organisations assume that volume alone justifies an extension, or apply an extension as a default, without clearly assessing whether the legal threshold is met, and this is often challenged by the SAR requester.
A recurring issue we see is that organisations attempt to extend the deadline, only to find (often close to the expiry of the extended period) that the request remains difficult to manage or that the extension itself may be challenged. By that point, valuable time has already been lost, increasing the risk of complaint and regulatory scrutiny. Taking a considered approach early on is often the most effective way to protect both compliance and operational resources and to avoid escalation.
Tozers’ trend spotting
In our experience, SARs are rarely the underlying problem. Instead, they act as a stress-test for an organisation’s wider data protection framework.
Where organisations struggle, it is usually because SARs expose weaknesses in governance, documentation, training, and a lack of clarity around how personal data is actually processed in practice across the organisation. Issues that remain hidden during day-to-day operations often surface quickly once a SAR is received.
Seeking early legal input
Seeking legal input only once difficulties have arisen can significantly increase regulatory risk. Early advice enables organisations to respond to SARs lawfully, defensibly and proportionately, reducing the likelihood of complaint or escalation.
Why instruct Tozers?
We pride ourselves on being more than just lawyers; we are your strategic partners. As a top firm for client satisfaction, we’ve built our reputation on listening first and talking second. We
specialise in turning legalese into easily actionable and practical steps, ensuring you feel confident and informed at every step of your data protection journey.
If you need assistance with SARs, policies and procedures, or staff training, speak with us today.