SAR Compliance Checklist: Never Miss a Deadline Again

A comprehensive, step-by-step compliance framework to handle Subject Access Requests efficiently while maintaining full GDPR compliance and audit trails.

Missing a Subject Access Request (SAR) deadline isn't just an administrative oversight—it's a £17.5 million risk. That's the maximum fine under GDPR Article 83, and with the ICO issuing penalties averaging £2.8 million for data protection breaches in 2023, SAR compliance has never been more critical. This comprehensive checklist provides a proven framework used by organizations like the NHS, Labour Party, and YMCA to maintain perfect SAR compliance records while reducing processing time by up to 75%.

30 days

Maximum GDPR response time

£17.5M

Maximum penalty under GDPR

75%

Time reduction with automation

2,847

SARs processed by ICO in 2023

Understanding SAR Legal Requirements

Under GDPR Article 15 and the UK Data Protection Act 2018, organizations must respond to Subject Access Requests within 30 calendar days of receipt. This timeline includes weekends and bank holidays—there are no extensions unless the request is particularly complex or voluminous, in which case you can extend by two additional months with justified reasoning communicated to the data subject.

⏰

30-Day Response Window

Calendar days from receipt, including weekends and holidays. Clock starts when request is received, not when you acknowledge it.

📋

No Charge Permitted

SARs are free unless manifestly unfounded, excessive, or repetitive. Administrative fee only for additional copies.

🔍

Complete Disclosure

All personal data held about the individual, including metadata, logs, and third-party communications containing their data.