When Someone Asks for Their Data

15/02/2026

What Every Organisation Must Understand About Subject Access Requests in 2026

When someone asks to see the personal data your organisation holds about them, it is not a favour.

It is not discretionary.

It is a statutory right.

Under UK data protection law, now refined by the Data (Use and Access) Act 2025, individuals have a legal right to access their personal data.

And organisations have:

  • A statutory duty to respond
  • A statutory timeframe
  • Minimum legal requirements to meet

This has not changed.

What has changed is the clarification around how you conduct searches.

And that’s where misunderstanding is becoming risky.

A Subject Access Request Is a Legal Obligation

If an individual asks:

  • “What information do you hold about me?”
  • “Please send me my file.”
  • “I want a copy of all emails mentioning me.”

That is almost certainly a Subject Access Request (SAR).

  • You do not need special wording.
  • You do not need a form.
  • You do not need the words “data protection.”

If it’s a request for their personal data, it engages the law.

And the clock starts.

The Deadline Is Real

In most cases, you must respond within one calendar month.

You may extend by a further two months if the request is complex – but you must notify the individual within the first month and explain why. You must be able to justify why on scrutiny from any ICO complaints.

Silence is not compliant.

Delay because “we’re busy” is not compliant.

Waiting until it becomes convenient is not compliant.

What Has the DUAA Changed?

The DUAA clarifies that organisations are required to carry out “reasonable and proportionate searches.”

This is helpful, particularly, for organisations collecting, storing and/or sharing large volumes of client data.

But it does not mean:

  • You can only search one system
  • You can ignore email accounts
  • You can avoid archived data without thought
  • You can provide a summary instead of the actual data

It means your search must be:

  • Thought through
  • Documented
  • Defensible

“Reasonable” is a legal test.
It is not shorthand for “minimal effort.”

The Minimum Requirements Still Apply

When responding to a SAR, you must:

  • Confirm whether you process their personal data
  • Provide a copy of that personal data
  • Explain your lawful basis
  • Outline retention periods
  • Inform them of their rights
  • Explain their right to complain to the Information Commissioner’s Office

Providing a short summary email is not sufficient if fuller data exists.

Filtering out uncomfortable content is unlawful.

Redacting third-party data must be done carefully. Not as a blanket approach.

Where Organisations Commonly Go Wrong

Many smaller organisations, and even some established ones, still:

  • Treat SARs as customer service queries rather than legal obligations
  • Assume employment disputes change the rules
  • Fail to recognise informal requests
  • Miss the statutory deadline
  • Keep no audit trail of search decisions

The risk is not just regulatory.

It is reputational.

In employment disputes and complaints, SAR compliance is often scrutinised line by line.

If You’re Unsure, That’s a Risk Signal

If your organisation cannot confidently answer:

  • Who manages SARs?
  • Where is personal data stored?
  • How are searches scoped?
  • Who signs off responses?
  • How are redactions reviewed?

Then you do not have a defensible SAR process.

The DUAA hasn’t lowered the bar.

It has clarified it.

A Simple Reality Check for 2026

Subject Access Requests are not rare.

They arise in:

  • HR disputes
  • Customer complaints
  • Regulatory investigations
  • Contract terminations
  • Safeguarding matters

If your organisation handles personal data, and every organisation does, SAR readiness is not optional.

It is part of operating lawfully.

Final Thought

The language of “reasonable and proportionate” should provide clarity.

It should not create complacency.

  • A SAR is a statutory right.
  • The deadline is statutory.
  • The minimum content is statutory.

If you are unsure whether your current process would withstand regulatory scrutiny, now is the time to review it – not when a complaint lands.

Leave a comment

  • When Someone Asks for Their Data

    15/02/2026 What Every Organisation Must Understand About Subject Access Requests in 2026 When someone asks to see the personal data your organisation holds about them, it is not a favour. It is not discretionary. It is a statutory right. Under UK data protection law, now refined by the Data (Use and Access) Act 2025, individuals…

  • Data Protection in 2026: What to Be Ready For

    24/01/2026 As we move into 2026, it’s tempting to look for the big new data protection law that will change everything overnight. In reality, that isn’t how this year is shaping up. Instead, 2026 looks set to be a year of consolidation, scrutiny and expectation‑raising. The rules themselves are largely familiar. What’s changing is what…

  • Why are the “Epstein files” so heavily redacted?

    29/12/2025 A data protection and transparency perspective When high-profile court documents are released to the public, there is often an expectation that they will reveal everything. So when the US Department of Justice (DoJ) released nearly 30,000 more pages of documents related to the late convicted sex offender Jeffrey Epstein, many people expected full transparency. Instead, they…

  • The New Data Protection Complaints Process

    How are you implementing the new data protection complaints process?