How to Handle a Subject Access Request (SAR)

What do I do?

1. If someone asks for their data, forward it to Privacy@ and reply politely confirming we’ve passed it to the privacy team. Don’t promise what will be included.

2. Do not send any data yourself unless you’ve been made the Processor Lead.

3. Deadlines matter: we aim to respond within one month.

4. If you’re assigned Processor Lead, you’ll get a short email (T2) telling you exactly what to do. Keep it simple, follow the steps, and cc Privacy@ on your messages so we have an audit trail.

What counts as a SAR?

A SAR (also called DSAR) is when someone asks for copies of the personal data we hold about them. They might say:

• “Please send me all data you hold about me.”

• “I want a copy of my records/emails/CCTV.”

• “Show me what you’ve got on your system about me.”

If it’s actually a different right (e.g., erasure, rectification, unsubscribe, complaint), still forward to Privacy@ — we’ll route it correctly.

What you should do if you receive a SAR

• Forward the email to Privacy@ right away.

• Acknowledge the person: “Thanks — I’ve passed this to our privacy team who will coordinate the response.”

• Do not collect ID unless you’re told to; if you are the Processor Lead, you'll receive an email explaining the protocols for completing a simple ID check.

• Don’t send or delete anything — wait for instructions.

If you become the Processor Lead

You’ll receive the T2 handover email from IT Support. In plain English, your job is:

• Confirm who’s asking (if in doubt): send a short ID check; pause the clock until it comes back; don’t keep ID copies; cc Privacy@.

• Clarify scope (only if needed): ask 1–2 simple questions (other emails/phone numbers, date range, context such as employee/guest/CCTV); pause the clock while you wait.

• Find the information: search the obvious places for this person (email/files, HR/payroll, bookings/membership, POS, call recordings, visitors/parking, incidents/access, training/complaints, CCTV by date/time, website forms/newsletters/Wi‑Fi). If a third‑party provider holds it, ask them for a copy.

• Keep a short note: for each search write where/what/when; save a quick screenshot or export log.

• Bundle & send: remove things clearly not about them; redact other people’s details where possible; ask Legal (Finance Director) for anything sensitive. Zip/PDF the results, send from your business mailbox, cc Privacy@, and share any password by a separate channel (text/call). Ask the requester to confirm receipt.

• Close the loop: update the IT Support Call Logging system within the SAR queue with dates/outcome; delete any local working copies.

Where to save files: Create a folder of your choosing on business storage, label it with the Case ID and date, and keep all SAR files there. Limit access to those who need it.

Do & Don’t (for everyone)

Do

• Be polite and helpful; keep things simple.

• Forward any data request to Privacy@.

• If Processor Lead, cc Privacy@ on your comms so they’re logged.

Don’t

• Don’t send data unless you are the Processor Lead for that case.

• Don’t delete or change records.

• Don’t store copies of ID — only record you verified it.

Who’s responsible for what?

• Business department (Processor Lead): runs the case end‑to‑end (ID check if needed, scope, searches, redaction, bundle, secure send), meets the one‑month deadline, and keeps a short audit trail.

• IT Support (Privacy@) logs the case, assigns the Processor Lead, provides best‑practice guidance, and monitors deadlines.

• Specialists (as needed): IT Data Discovery (technical searches), Security/CCTV (footage/redaction), HR (employee records), Legal (Finance Director) (privilege/exemptions/complaints), Brand/Comms (sensitive group messaging).

FAQ (short & simple)

Why do I have to do this?
Because UK GDPR gives people the right to access their personal data. We’re legally required to help. If the data lives in your department’s systems, you’re closest to it and can find it fastest and most accurately.

Shouldn’t this be a technical person’s job?
Not usually. Most of the data sits in everyday business systems you own (email/files, bookings, membership, HR, CCTV). IT can help with tools, but the department understands the context and what’s relevant.

What’s the deadline?
One month from the day we receive the request. For complex or numerous requests, it can be extended by up to two months, but we must tell the requester within the first month. If you think we’ll need extra time, cc Privacy@ immediately.

Do we always need ID?
Only if there’s doubt. If you can recognise the person or it’s routine (e.g., emailing from their known account), you might not need ID. If in doubt, send a simple ID check and pause the clock.

Can we refuse?
Rarely. We can refuse if a request is manifestly unfounded or excessive, or if an exemption applies (e.g., it reveals someone else’s data or legal privilege). Ask Legal (Finance Director) before refusing anything.

What about CCTV?
Search by date/time/location. If others appear in the video, blur/redact where possible or provide stills. Ask Security for help with redaction tools.

What if I can’t find anything?
Tell Privacy@ and reply to the requester explaining we found no data for the identifiers provided. Ask for any other names/emails/phones or a date range.

Where should I store the files?
Create a folder on business storage, label it with the Case ID and date, and save everything there. Restrict access to those who need it.

How do I deliver the files?
Zip/PDF the results, encrypt if appropriate, and send the password by a separate channel (text/call). Cc Privacy@ on your email to log it.

Who do I ask for help?

• Privacy@ (process/deadlines)

• it.support@ (tools/encryption/access)

• Security/CCTV (footage/redaction)

• HR/AskJoi (employee records)

• Legal (Finance Director) (privilege/exemptions/complaints)