The Information Commissioner’s Office (ICO) updated its guidance on Subject Access Requests (SARs), signalling that the legal context underpinning SAR handling has changed with the introduction of the Data (Use and Access) Act (DUAA). Here’s a breakdown:
Clearer Positioning on Narrowing Large SARs
The updated guidance re-emphasises how organisations should approach large or complex SARs, reiterating that individuals:
- Can be asked to clarify/narrow broad requests
- Retain the right to request all personal data within scope
Reinforced Approach to “Excessive” and “Unfounded” Requests
It restates key principles regarding when a request may be refused or charged for:
- A large volume of data alone does not make a request excessive
- Repeated, overlapping or harassing requests may qualify as excessive/unfounded
- Any decision to refuse/charge must be justified and documented
Related Update: Complaints Handling
The ICO also confirms a new legal requirement linked to the DUAA – from 19 June 2026 all organisations must have a process for handling data protection complaints.
This will directly affect how SAR disputes are managed internally – in the past data subjects could complain directly to the ICO, but now organisations must handle complaints in-house before the ICO can be approached.
Practical Takeaways for Small Organisations
- Treat the updated guidance as authoritative
- Ensure refusals, narrowing requests, or fees are clearly documented
- Begin preparing for mandatory complaint-handling processes, including ensuring you have a Complaints Policy which outlines your process
Final Reflection
The updates reinforce existing SAR principles rather than introducing any radical changes. However, they place renewed emphasis on documentation, justification, and procedural formality, signalling that regulators expect more structured compliance, even from smaller organisations – they are expected to demonstrate the same level of governance discipline as larger counterparts.
While the guidance provides useful clarification, it does little to reduce the practical burden where resources are limited. The message is clear – operational constraints are unlikely to carry significant weight if challenged.
How Hope & May can help
We can:
- Provide advice and guidance on requests
- Respond to/manage SARs as your external DPO
- Redact data as your external DPO to ensure your response is compliant
- Review your SAR policy or create a new, tailored one
- Provide training to ensure your organisation knows how to recognise and respond to SARs
If you have any questions, please contact us.
