Blog details

ICO provides SAR guidance for organizations receiving requests.

ICO provides SAR guidance for organizations receiving requests.

ICO provides SAR guidance to simplify the process for, and give better understanding to organizations receiving subject access requests.


The ICO published information last month, geared at giving guidance to organizations who may receive subject access requests (SARs). As the weight of personal data becomes more apparent to individuals, more people are exercising their right to information on what exactly is happening to their personal data. The right of access, also referred to as subject access, gives individuals the right to obtain a copy of their personal data from you, as well as other additional information. The ICO, having realized how important it is that an organization should be able to deal with subject access requests efficiently and effectively, has launched this guide, which was published in the form of a list of frequently asked questions, can be found here


The initial consultation for this guidance published by the ICO, generated lots of engagement, and received an overwhelmingly positive response.


The process of creating this right of access detailed guidance started back in December 2019, with a consultation which received an overwhelming reaction, comprised of over 350 responses from various organisations. While those responses consisted of mainly positive feedback, there were also requests for examples, explanations and additional content. Based on the feedback, there were some key changes made, and content added to the original version published. 


The ICO provides SAR guidance, complete with situational examples for reference.


This guidance published by the ICO last month includes details on what right of access is, why it is important, and also what specific information an individual is entitled to. The information provided in this guidance also includes direction on who should be handling requests and in what manner requests should be handled, complete with relatable examples, which the individuals in an organisation can follow and apply to their circumstances to gain a better understanding of how things should proceed.


The ICO was able to clarify a few key points raised by organisations during the guidance consultation phase. 


There were a few key points raised for clarification by the organisations regarding their obligations, which the ICO cleared up. For one, stopping the timer on response time, when clarification is needed to provide a response is definitely now allowed. The ICO also clarified what a manifestly excessive request is, and offered guidance on how to navigate dealing with those, including when and how an admin fee may be applied to some requests.

The ICO has further plans to create several resources for business on the topic of SARs.


The ICO has plans on creating a suite of resources. This will include an even more simplified guide for small businesses regarding subject access requests with key information from the general guide which would specifically benefit them. This information is viewed as essential to organisations, to ensure trust from individuals, in the way an organisation handles their personal data, and by extension in the organisation itself.


Do you know how to handle DSARs and the rest of data subjects rights granted by the GDPR? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Prev post
Multa a Marriott por incumplimiento del RGPD
November 4, 2020
Next post
La ICO publica sus directrices en relación al derecho de acceso.
November 6, 2020

Leave a Comment