Folelse

Product

Features Live Demo Pricing Roadmap

NHS & Compliance

DSPT Guidance NHS Data Guide ICO Resources Free DPA Template

Resources

Blog Resource Hub FAQ

Company

About System Status
Support
Log in Get started free
Back to Blog
SARs 28 Jan 2026 6 min read

Five Common SAR Mistakes — and How to Avoid Them

Subject Access Requests are the most common data protection complaint to the ICO. We look at the five most frequent mistakes organisations make — from missing the one-month deadline to over-redacting — and how to build a compliant process.

FC

Folelse Team

Folelse

Subject Access Requests (SARs) remain the single most common source of data protection complaints to the Information Commissioner's Office (ICO). Under Article 15 of UK GDPR, individuals have the right to obtain a copy of their personal data and supplementary information about how it is processed. Despite the regulation having been in force since 2018, organisations continue to make the same avoidable mistakes. Here are the five we see most often — and how to fix them.

Mistake 1: Missing the One-Month Deadline

The response deadline under UK GDPR is one calendar month from receipt of the request — not 30 working days. This is a critical distinction that many organisations still get wrong. The deadline runs from the day after the request is received, regardless of whether it is a weekend or bank holiday.

Where a request is complex or where the requester has made multiple requests, you may extend the deadline by a further two months, but you must inform the requester of the extension within the original one-month period and explain why the extension is needed.

Fix: Log every SAR the day it arrives, set an automated reminder for day 20, and have a clear escalation process for requests that may need an extension.

Mistake 2: Charging a Fee

Under UK GDPR, SARs must be handled free of charge. The right to charge a 'reasonable fee' only applies where requests are manifestly unfounded or excessive — and you must be able to demonstrate this if challenged. Asking for a fee upfront is almost always unlawful.

Fix: Remove any SAR fee clauses from your website, privacy notice, or request forms. If a requester is making excessive or repetitive requests, document your reasoning carefully and seek DPO advice before applying any charge.

Mistake 3: Over-Redacting Information

Many organisations redact far more than they need to, often citing third-party privacy as justification. The ICO is clear: where information about a third party is inextricably linked to the requester's own data, you should try to provide it. You can redact the third party's identifying details, but you cannot withhold the information about the requester simply because a third party is also mentioned.

Fix: Apply a consistent redaction policy. Redact third-party names and identifying details where necessary, but provide the substance of information that relates to the requester. Document your redaction decisions.

Mistake 4: Not Searching All Systems

A common ICO complaint is that organisations only search obvious systems — the HR database, the CRM — and miss data held in email archives, paper files, instant messaging systems, or cloud storage. The obligation is to provide all personal data you hold about the individual.

Fix: Document your full data map and use it to produce a standardised SAR search checklist. This should include: email (including deleted items and archives), shared drives, cloud storage, instant messaging (Teams, Slack), CRM, HR systems, CCTV, and any paper records.

Mistake 5: Failing to Provide Supplementary Information

A SAR response is not just a data dump. Article 15 requires you to also provide:

  • The purposes of processing
  • The categories of personal data
  • Recipients or categories of recipients
  • Retention periods (or the criteria used to determine them)
  • Information about the right to rectification, erasure, restriction, or objection
  • The right to lodge a complaint with the ICO
  • Where data was not collected from the individual, information about its source
  • Information about any automated decision-making, including profiling

Fix: Create a standard covering letter template that automatically includes all required supplementary information. Link to your privacy notice but don't rely solely on it — the ICO expects you to provide the specific information relevant to the requester.

Building a Compliant SAR Process

The best way to avoid SAR mistakes is to have a documented, tested process before a request arrives. This should cover: how requests are identified and logged (a request doesn't have to say 'SAR' to be one), who is responsible for coordinating the response, which systems are searched, how redactions are applied and documented, and how the response is delivered securely.

Folelse includes a built-in SAR workflow with deadline tracking, search checklists, and response templates — so you never miss a deadline or a required disclosure.

Start free trial

More from the blog

View all
DSPT 14 Feb 2026

DSPT 2025/26: Key Changes and What They Mean for NHS Organisations

NHS England has updated the Data Security and Protection Toolkit for 2025/26. We break down the new mandatory assertions, changes to the cyber security area, and what evidence you need to gather before the June submission deadline.

Read more
UK GDPR 10 Jan 2026

ICO Enforcement in 2025: What UK Organisations Need to Know

The ICO issued significant fines in 2025, with marketing opt-outs and cyber security failures the leading causes. We analyse the enforcement trends and what your organisation should prioritise.

Read more