top of page

Subject Access Requests (SARs)

Support for organisations and individuals

​​

​

                 

 

 

 

 

 

                                    

 

For Data Controllers 

Practical SAR handling that keeps you compliant

It seems to be a natural reaction to receive a Subject Access Request (SAR) with suspicion and a need to be defensive, yet the Data Subject making the request is simply exercising their lawful right, irrespective of their reasons.

​

How well you respond to that request depends on several things:

  • Is the requestor entitled to the information requested?

  • Are they quoting legislation, and if so, is it the correct and current law?

  • Do you understand the lawful grounds for refusing, redacting, or extending the response period?

  • Are you confident that your search parameters are complete and proportionate?

  • Have you identified any third-party data that requires balancing tests or exemptions?

 

These aren’t abstract questions; they are the difference between lawful compliance and a potential breach. Many organisations unintentionally compromise themselves by reacting emotionally or rushing the process without understanding the legal structure behind it.

 

What we do:
At Hebborn Consultancy Ltd, we represent both Data Controllers and Data Subjects in managing SARs properly from start to finish. We act strictly within the law, applying the UK GDPR, Data Protection Act 2018, and the Data Use and Access Act 2025. We ensure that the process is fair, compliant, and defensible, while removing the confusion and conflict that so often arise.

​

  • Initial assessment, advising on immediate response dos and don'ts on what must and what must not be disclosed - don't let your Subject Access Request become a Data Breach

  • Conduct identity and authority checks on your behalf

  • Search strategy and reasonable search plan

  • Redactions, exemptions and third-party rights balancing

  • Secure disclosures in accessible formats

  • Deadline management and extension notices

  • Communicate with the requester or their representative

 

Why it matters

  • You have one month to respond, with a possible extra two months for complex or multiple requests. We set timelines, draft notices and keep you on track.

  • Most SARs are free. You may refuse or charge a reasonable fee only if a request is manifestly unfounded or excessive, or for further copies. We advise, document the rationale and issue lawful responses.

  • Your response must reflect UK GDPR Article 15 and the DPA 2018 framework, including any lawful restrictions and the need to protect the rights of others. We apply the tests and record the decision path.

 

Outcomes you can expect

  • Defensible searches and redactions aligned to UK GDPR, DPA 2018 and DUAA 2025 amendments

  • Minimal disruption to your staff, reducing unnecessary back-and-forth and operational burden - leaving them to do what they are paid to do. 

  • Reduced risk of complaints to the ICO and regulatory scrutiny

 

               

For Subject Access Requestors

 

Making a Subject Access Request (SAR)

It can be daunting to make a SAR, especially if it involves a former employer, landlord, school, or organisation where trust has broken down. Many people worry about how their request will be received or whether it will cause trouble. In reality, you are simply exercising a lawful right to know what information is held about you and how it is being used.

 

Submitting a proper SAR is not just about asking for “all my data.” It requires clarity and precision:

​

Are you clear about what you are asking for and why?

  • Have you provided enough information to help the organisation locate your data?

  • Do you understand the limits of the right of access and what can legally be withheld?

  • Are you prepared for what you might receive, and how to challenge it if the response is incomplete or incorrect?

  • Do you know how long the organisation has to respond, and what to do if they miss the deadline?

 

Handled correctly, a SAR can bring clarity, accountability, and sometimes resolution. Handled badly, it can cause frustration, delay, and even escalation. The mere thought of it may put you off making the request completely.

 

What we do:
At Hebborn Consultancy Ltd, we help Data Subjects prepare, submit, and manage their SARs from start to finish. We draft the formal request, correspond directly with the Data Controller, and represent you throughout the process. We make sure your rights under the UK GDPR, Data Protection Act 2018, and the Data Use and Access Act 2025 are fully respected, while taking away the stress and uncertainty that so often come with the process.

 

Your data. Your rights. Done properly.

How we help

  • Drafting the official SAR letter and specifying exactly what to ask for

  • Proving identity, authority and scope so the clock starts running

  • Managing all correspondence and chasing responses

  • Reviewing disclosures for completeness and quality

  • Escalating to complaint or enforcement routes where needed

 

What you get

  • A realistic quote of what your request/response will cost in real terms, with no hidden surprises

  • A clear plan from request to resolution based on your aims

  • Full representation throughout the process

  • Straight answers on what is realistic under the law

 

Your rights at a glance

  • You can ask an organisation whether it processes your personal data and receive a copy with key information about how it is used. That is Article 15.

  • Organisations must respond without undue delay and within one month. They can extend by up to two months if the request is complex or multiple, but they must tell you why.

 

Our compliance basis

Everything we do is tied to the four pieces of legislation and current guidance:

  • UK GDPR, including Article 15 right of access

  • Data Protection Act 2018, including section 45 and relevant restrictions

  • Privacy and Electronic Communications Regulations 2003 as amended, where SARs intersect with electronic communications and security practices

  • Data Use and Access Act 2025, which amends and complements existing UK data law

  • ICO guidance on subject access and request handling

 

Read more at the sources we rely on when advising you: ICO SAR guidance, UK GDPR Article 15, DPA 2018 section 45 and restrictions, PECR 2003, and the DUAA 2025 Act.

 

How we will respond to your request

  1. Free assessment call without any obligation on your part.

  2. Fixed quote with clear deliverables and no surprise follow-up fees. you will be advised of all and any costs in advance

  3. put your request to the Data Controller in writing, using the appropriate language and quoting the relevant legislation for ease of reference and to facilitate a prompt response.

  4. Where required, working with you the client,  we manage the correspondence, searches, redactions and disclosure pack 

  5. Conclusion outcome report.

 

Fees

Until we know what you want us to do, we can't tell you what it will cost. Our fees are straightforward and affordable. Most matters are handled on a fixed-fee or capped basis. Tell us what you need and we will price it sensibly. Contact us for a free initial assessment or a basic quote.

 

 

FAQs

What is the benefit of me/us asking you to act on our behalf?

Engaging Hebborn Consultancy Ltd means your request is managed by experienced specialists in data protection law. We have represented both Data Subjects and Data Controllers across many sectors, so we know exactly how to secure the best outcome. You benefit from our expertise, reputation, and proven record of success while avoiding the stress,  mistakes and often for organisations costs,  that come from handling it alone.

​​

Do you act for both sides?

Yes. We can act for both controllers and requestors, keeping strict professional separation on every engagement and applying the law without fear or favour. We will not act for both sides in the same matter unless both parties explicitly agree and instruct us to do so on a mediation basis.

 

Can you take over mid-request?
Yes. We can step in to stabilise timelines, draft lawful notices and get the matter back on track within the statutory limits.

 

What if the request is excessive or unfounded?
We assess the facts, document a defensible position and, if applicable, prepare a refusal or fee notice with reasons.

 

Does PECR apply to SARs?
PECR governs privacy in electronic communications, marketing and cookies. It often sits alongside your SAR handling where communications methods and security are involved. We ensure consistency across your privacy notices, cookie practices and SAR responses.

 

How does the DUAA 2025 change things?
DUAA 2025 introduces targeted reforms across UK GDPR, DPA 2018 and PECR. We reflect these changes in our templates, notices and decision records so your approach remains current.

 

Get in touch

If you have received a SAR or need to make one, we will take away the pain and deliver a clean, compliant outcome.

​

​​

​

Anchor 1

 

When a Subject Access Request lands, you need two things: clarity and control. We provide both. Whether you are a Data Controller responding to a SAR or an individual exercising your right of access, we handle the heavy lifting so you do not have to, and at a price you can afford.

Anchor 2
cyberalarm.jpg

Click on the Hiscox icon for insurance details

Hiscox logo.jpg
OGL.jpg
0333 772 1510

Hebborn Consultancy Ltd. is a private company limited by shares, registered in England and Wales number 11479220. ICO registration number ZA768371

Hebborn Consultancy Ltd. Chapman Way Hethel Norfolk  NR14 8FB.

The Company's' registered office is Tedder House Tedder Close Watton Norfolk IP25 6HU

©2025 Hebborn Consultancy Ltd. 

bottom of page