PolicyKitGet started
All templates

Subject Access Request (SAR) Procedure template

Documented procedure for handling UK GDPR Article 15 Subject Access Requests. Covers identity verification, 1-month response deadline, data gathering, redaction of third-party information, exemptions, and ICO escalation. Reduces risk of ICO enforcement action.

uk-gdprgdprdpa-2018

Generate your subject access request (sar) procedure in minutes

Answer a few questions about your business and PolicyKit produces a tailored, professionally structured document — ready to export as PDF or Word.

Generate free

About this document

A subject access request, or SAR, procedure sets out how an organisation responds when individuals ask for the personal data held about them. It defines the steps for verifying, locating, and providing that information within the required timeframe. A clear procedure helps handle requests consistently and on time.

Who needs one: Any organisation that processes personal data and must respond to individuals’ access requests.

What a strong subject access request (sar) procedure covers

  • How requests are received and recognised
  • Verifying the identity of the requester
  • Locating and collating the relevant personal data
  • Applying exemptions and redactions where appropriate
  • Response timeframes and how information is provided
  • Record-keeping and handling of complex requests

Regulations and frameworks this aligns to

PolicyKit references the standards relevant to your jurisdiction when it generates your subject access request (sar) procedure.

UK GDPR
The retained UK version of the General Data Protection Regulation, governing how organisations process the personal data of people in the UK.
GDPR
The EU General Data Protection Regulation, governing how organisations collect, use, and protect personal data of people in the EU.
Data Protection Act 2018
The UK statute that supplements and implements data protection law alongside the UK GDPR, including law-enforcement and intelligence-service processing.

Frequently asked questions

What should a subject access request (sar) procedure include?

A robust subject access request (sar) procedure sets out scope, roles and responsibilities, the specific controls or procedures involved, and how compliance is monitored and reviewed, mapped to frameworks like uk-gdpr, gdpr, dpa-2018. PolicyKit structures all of this automatically based on your business.

Is this legal advice?

No. PolicyKit generates AI-assisted professional templates and starting points, not legal advice. Every document should be reviewed with qualified legal and compliance counsel before use.

Can I tailor it to my country?

Yes — PolicyKit tailors each document to your jurisdiction, including UK, EU, United States, Australia, Singapore, Hong Kong and more.

Ready to create your subject access request (sar) procedure?

Start free

PolicyKit provides AI-assisted templates and starting points, not legal advice.