Turning Subject Access Request (SAR) Complaints Into Data Protection Wins

If there is one element of data protection that can truly test your organisation’s processes, it is dealing with complaints about Subject Access Requests (SARs). Get it right and you show respect for individuals’ data rights. Get it wrong and you risk frustration, reputational damage, or even an ICO complaint.

We break down what SAR complaints are, what the UK GDPR and ICO expect, and real-world practical steps to resolve them quickly and confidently.

What Is a Subject Access Request and a SAR Complaint?

A Subject Access Request is an individual’s right to ask you for the personal data you hold about them, plus certain supplementary information like why it is being processed and how long you will keep it. Anyone can make a SAR verbally, in writing, even via social media and it does not have to use the words “SAR” or refer to GDPR. It just needs to be clear that they want their own personal data.

A SAR complaint arises when someone feels your response was too slow, incomplete, inaccurate, or otherwise unsatisfactory for example, missing records because they were under a previous name, or delays past the statutory time limit.

What the ICO Says About Complaints

The UK Information Commissioner’s Office (ICO) expects organisations to have a clear data protection complaints process. Specifically:

• You must acknowledge complaints within 30 days.

• You should investigate without undue delay understand the facts, review the SAR response itself, and check your own policies.

• Once you have investigated, you must communicate the outcome clearly, including how you reached your decision.

If the complainant is not satisfied, your response should explain they have the right to complain to the ICO and give them the ICO’s contact details.

Why People Complain: Common Scenarios

Here are several patterns that regularly turn up in practice:

Delays and Missed Timeframes

You must respond to a SAR promptly ideally within one month. Where a request is complex, you can extend this to three months in total.

Missing or Incomplete Information

SAR responses sometimes miss relevant documents that exist for example, emails under a previous name.

Practical tip: Make sure searches cover all systems, old identifiers, and structured & unstructured data. Logging your search approach helps demonstrate due diligence during a complaint review.

Refusals and Redactions

You can withhold data in limited cases where exemptions apply or if providing it would mean disclosing third‑party personal data without justification.

Practical tip: Explain why you redacted or refused information; outline the legal basis. Walkthrough notes are invaluable when someone challenges decisions.

Technical or Accessibility Barriers

Some organisations require SARs through specific forms but under data protection law, a request is valid even if made via email or phone.

Recommended practice: Accept all reasonable forms of SAR and then clarify format preferences once received this reduces complaint triggers.

Practical Steps to Handle a SAR Complaint

Here’s a step‑by‑step playbook you can follow:

✔ Step 1: Acknowledge Quickly

Send a simple acknowledgement within 30 days (ideally sooner). It builds trust and meets ICO expectations.

✔ Step 2: Gather the Facts

Check:

• When the SAR was received

• What was provided (and in what format)

• Any extensions or refusals recorded.

• Relevant evidence from your systems or staff

  
  

✔ Step 3: Review the Original Decision

Consider whether:

• The response was complete.

• It was disclosed within statutory timeframe

• Redactions or exemptions were correctly applied.

• Any clarifications were sought appropriately.

  
  

✔ Step 4: Respond with Clarity

Your outcome letter should:

• Summarise each concern.

• Explain your findings.

• Provide evidence if appropriate.

• Offer next steps (e.g., amendment, apology, clarification)

  
  

✔ Step 5: Learn and Improve

Check whether similar complaints could be prevented:

• Update SAR search checklists.

• Train staff on recognising requests

• Record lessons learnt in your privacy management programme

The ICO recommends reviewing complaint feedback to improve processes not just to tick a box.

Where a Complaint Goes Next

If the complainant remains unhappy after your internal process, they can complain to the ICO, which may contact you for more information.

In rare cases of non‑compliance, enforcement action or court proceedings are possible — but handling complaints well internally usually defuses issues early.

Final Thoughts

SAR complaints don’t have to be stressful. By building a clear process, communicating effectively, and handling each complaint with transparency and care, you not only comply with UK GDPR but also strengthen trust with the people whose data you hold.

Consistent SAR handling is not just regulatory box‑ticking it is good data protection practice.

Need Help Handling SAR Complaints?

Don’t navigate SAR complaints alone. Whether it is reviewing your processes, responding to tricky requests, or ensuring full compliance with UK GDPR, our expert team can guide you every step of the way.

Contact us today info@sarsearonconsulting.com to discuss your data protection challenges and protect your organisation from costly mistakes.