The Data (Use and Access) Act 2025 has introduced important updates to the Subject Access Request (SAR) regime that every organisation should know.
Download our comprehensive factsheet from data protection specialist and Client Legal Director Amanda Heath, to ensure your business is fully prepared.
Key changes:
- Stopping the clock
You can now pause the 30-day response deadline while verifying an individual’s identity or awaiting clarification about their request. - Reasonable and proportionate searches
Organisations are no longer expected to conduct exhaustive searches if they are disproportionate to the request. - Enhanced transparency
When withholding information under exemptions, you must now provide clear explanations to the requester. - New complaints process
There are updated requirements for how data protection complaints should be handled.
Practical tips for organisations
Understand what personal data you hold and where it is stored
Train staff to recognise and respond to SARs quickly
Maintain control over your communication channels
Request clarification where necessary
Update your internal policies to reflect the new legal requirements
Managing SARs can be complex and time-consuming, but with the right processes in place you can minimise the impact on your organisation while meeting your legal obligations.know
