United Kingdom Privacy Laws — UK GDPR and SAR Requirements
UK data subject access request requirements under the UK GDPR and Data Protection Act 2018. Rights, deadlines, ICO guidance, and institution-specific SAR guides.
Last updated: 2026-03-01
The United Kingdom's data protection framework is built on the UK GDPR (the retained EU GDPR, as amended post-Brexit) and the Data Protection Act 2018. Together, these give individuals the right to make subject access requests (SARs) to any organization holding their personal data.
The Information Commissioner's Office (ICO) is the UK's independent supervisory authority for data protection. The ICO investigates complaints, issues enforcement notices, and can impose fines of up to GBP 17.5 million or 4% of global annual revenue.
Disclaimer: This content is for informational purposes only and does not constitute legal advice. Consult a qualified solicitor or data protection professional for guidance specific to your organization.
UK Data Protection Landscape
The UK's data protection regime closely mirrors the EU GDPR but operates independently following Brexit. Key differences include the UK's own adequacy decisions, the ICO's enforcement approach, and UK-specific exemptions under the Data Protection Act 2018.
The Data Use and Access Act 2025 (DUA Act) introduces changes to how organizations handle SARs, including the concept of a "reasonable search" and provisions for dealing with vexatious requests. These changes are being phased in during 2025-2026.
Key Features for SAR Compliance
- No threshold: Applies to all organizations processing personal data of UK residents
- 30-day deadline: Must respond within one calendar month
- Free of charge: No fee for standard requests; reasonable fee permitted for manifestly unfounded or excessive requests
- ICO guidance: The ICO publishes detailed guidance on handling SARs, including templates and FAQs
- Right to complain: Individuals can complain to the ICO if dissatisfied with a response
Privacy Law Guides
- UK GDPR DSAR Requirements — full DSAR compliance breakdown including rights, deadlines, identity verification, and penalties
Making a SAR to UK Institutions
Individuals in the UK frequently make subject access requests to public bodies and large institutions. Each institution has its own SAR process, timelines, and contact points. We are building guides for the most common institutions:
- Home Office — immigration records, visa applications, enforcement data
- NHS — medical records, GP records, hospital records
- Police — criminal records, investigation data, CCTV footage
- HMRC — tax records, employment records, benefit data
These guides will cover what data each institution holds, how to submit a SAR, typical response times, and what to do if your request is refused.
Related Resources
- What Is a Subject Access Request? — SAR basics
- How to Respond to a DSAR — step-by-step response process
- DSAR Exemptions — when you can refuse or limit a response
- DSAR Response Deadlines — deadline comparison across jurisdictions