When Someone Asks for Their Data

15/02/2026

What Every Organisation Must Understand About Subject Access Requests in 2026

When someone asks to see the personal data your organisation holds about them, it is not a favour.

It is not discretionary.

It is a statutory right.

Under UK data protection law, now refined by the Data (Use and Access) Act 2025, individuals have a legal right to access their personal data.

And organisations have:

  • A statutory duty to respond
  • A statutory timeframe
  • Minimum legal requirements to meet

This has not changed.

What has changed is the clarification around how you conduct searches.

And that’s where misunderstanding is becoming risky.

A Subject Access Request Is a Legal Obligation

If an individual asks:

  • “What information do you hold about me?”
  • “Please send me my file.”
  • “I want a copy of all emails mentioning me.”

That is almost certainly a Subject Access Request (SAR).

  • You do not need special wording.
  • You do not need a form.
  • You do not need the words “data protection.”

If it’s a request for their personal data, it engages the law.

And the clock starts.

The Deadline Is Real

In most cases, you must respond within one calendar month.

You may extend by a further two months if the request is complex – but you must notify the individual within the first month and explain why. You must be able to justify why on scrutiny from any ICO complaints.

Silence is not compliant.

Delay because “we’re busy” is not compliant.

Waiting until it becomes convenient is not compliant.

What Has the DUAA Changed?

The DUAA clarifies that organisations are required to carry out “reasonable and proportionate searches.”

This is helpful, particularly, for organisations collecting, storing and/or sharing large volumes of client data.

But it does not mean:

  • You can only search one system
  • You can ignore email accounts
  • You can avoid archived data without thought
  • You can provide a summary instead of the actual data

It means your search must be:

  • Thought through
  • Documented
  • Defensible

“Reasonable” is a legal test.
It is not shorthand for “minimal effort.”

The Minimum Requirements Still Apply

When responding to a SAR, you must:

  • Confirm whether you process their personal data
  • Provide a copy of that personal data
  • Explain your lawful basis
  • Outline retention periods
  • Inform them of their rights
  • Explain their right to complain to the Information Commissioner’s Office

Providing a short summary email is not sufficient if fuller data exists.

Filtering out uncomfortable content is unlawful.

Redacting third-party data must be done carefully. Not as a blanket approach.

Where Organisations Commonly Go Wrong

Many smaller organisations, and even some established ones, still:

  • Treat SARs as customer service queries rather than legal obligations
  • Assume employment disputes change the rules
  • Fail to recognise informal requests
  • Miss the statutory deadline
  • Keep no audit trail of search decisions

The risk is not just regulatory.

It is reputational.

In employment disputes and complaints, SAR compliance is often scrutinised line by line.

If You’re Unsure, That’s a Risk Signal

If your organisation cannot confidently answer:

  • Who manages SARs?
  • Where is personal data stored?
  • How are searches scoped?
  • Who signs off responses?
  • How are redactions reviewed?

Then you do not have a defensible SAR process.

The DUAA hasn’t lowered the bar.

It has clarified it.

A Simple Reality Check for 2026

Subject Access Requests are not rare.

They arise in:

  • HR disputes
  • Customer complaints
  • Regulatory investigations
  • Contract terminations
  • Safeguarding matters

If your organisation handles personal data, and every organisation does, SAR readiness is not optional.

It is part of operating lawfully.

Final Thought

The language of “reasonable and proportionate” should provide clarity.

It should not create complacency.

  • A SAR is a statutory right.
  • The deadline is statutory.
  • The minimum content is statutory.

If you are unsure whether your current process would withstand regulatory scrutiny, now is the time to review it – not when a complaint lands.

Leave a comment

  • 19 June 2026: Is Your Data Protection Complaints Procedure Ready?

    Need a Data Protection Complaints Procedure in place before 19 June 2026? The deadline under the Data (Use and Access) Act 2025 is approaching fast, and many organisations still do not have a compliant process published. Email dpo@jhdataprotection.com to find out more about reviewing or implementing your data protection complaints procedure.

  • When curiosity becomes misconduct: lessons from the Nottingham NHS records scandal

    Data protection can often be dismissed as bureaucracy, policies and “tick-box exercises”. This week’s Nottingham NHS records scandal is a stark reminder that it is something far more important than that. When staff access sensitive personal data without lawful reason, the consequences are not merely regulatory, they are deeply human. Trust, dignity and confidentiality sit…

  • ARE YOU AI READY?

    AI is already regulated. Organisations just haven’t caught up 3 May 2026 There is still a perception that artificial intelligence sits ahead of regulation. From a UK GDPR perspective, it doesn’t. The legal framework is already in place. The issue for most organisations is not a lack of regulation, it is a lack of structured…

  • When data protection doesn’t protect you.

    17/04/2026 Recently, the Information Commissioner’s Office published the outcome of a criminal prosecution. The title? Just two names:Christopher Munro and William Chipoma. No explanation. No softening. No anonymity. And that, in itself, is a powerful lesson in how data protection law really works. Data protection isn’t about secrecy There’s a persistent myth that data protection…