Any individual can make a Subject Access Request (SAR) under the General Data Protection Regulation 2016/679 (GDPR) to any organisation (data controller) that holds his or her personal data. Since the introduction of the GDPR, an increasing number of individuals are exercising their right to request information from organisations and other data subject rights.

Responding to a SAR 

It is important for a company to ascertain all the various sources where personal data is held and to ensure that their data systems are easily searchable in order that responses to SARs can be managed efficiently. Businesses should be aware that the time limit for responding to SARs is one month and ensure that their procedures enable them to respond to the request within this timescale. The SAR needs to be assessed to consider whether any exemptions may apply and whether any personal data may be withheld.