Several changes to how UK organisations handle subject access requests are now in force under the Data (Use and Access) Act 2025. The most practical change is that organisations are only required to carry out reasonable and proportionate searches when responding to a SAR. The Act also puts the “stop the clock” clarification rule into statute and confirms how response deadlines are calculated when identity checks, clarification or a valid fee request are needed.
From 19 June 2026, organisations will also need to meet new data protection complaints handling requirements. That means giving people a clear way to complain directly to you about how their personal data has been handled, acknowledging complaints within 30 days, investigating them properly and telling the person the outcome without undue delay.
Together, these changes make SAR handling more practical. But they also expose organisations that do not know where their data is stored. The reasonable and proportionate search standard only helps if you can explain what you searched, why you searched it and why your approach was sensible.
If your data is scattered across Microsoft 365, old mailboxes, legacy archives, SaaS tools and backups nobody has mapped, the new rules will not remove the problem. They will make it more visible.
This article is informational and does not constitute legal advice. For specific guidance on your organisation’s data protection obligations, a qualified data protection adviser should be consulted.
What A SAR Actually Requires
A subject access request is a request from an individual for a copy of the personal data you hold about them, along with other information about how you use it. The right applies to customers, employees, former employees, job applicants, suppliers and anyone else whose personal data you process.
A SAR can be made verbally or in writing. It does not need to mention “subject access request”, “UK GDPR” or “Article 15”. If it is clear that someone is asking for their own personal data, you need to recognise it and deal with it properly.
In most cases, you cannot charge a fee. The usual deadline is one month. You may be able to extend by a further 2 months where the request is complex or where the person has made multiple requests, but you must tell the requester within the original one-month period and explain why.
SARs remain one of the most common areas of complaint to the Information Commissioner’s Office. The ICO’s 2024/25 Annual Report noted that Article 15 complaints, which relate to the right of access, accounted for most of its data protection complaints work.
The Reasonable And Proportionate Search Standard
This is the change that matters most for day-to-day SAR handling.
You are not required to conduct an exhaustive search of every location where personal data might theoretically exist. You are required to conduct reasonable and proportionate searches for relevant information.
That does not mean you can ignore difficult sources. It means you can define a sensible scope based on the request, the person, the systems you use, the age of the data, the likely relevance of each source and your organisation’s size and resources.
For example, if a former employee asks for “everything you hold about me”, a reasonable search might include their HR file, payroll records, line manager emails, relevant Teams messages, performance records and any disciplinary or grievance material. It may not require a forensic trawl through every historic backup if those backups exist only for disaster recovery and are not reasonably searchable in normal business use.
The key is documentation. Record the systems searched, the search terms used, the date ranges applied and why those choices were reasonable. If the requester complains, your search log is the evidence that your response was not casual or arbitrary.
Stop The Clock: Now In Statute
The “stop the clock” rule allows you to pause the response deadline in specific circumstances. It had already appeared in ICO guidance, but the Data (Use and Access) Act 2025 now puts it into the legal framework.
The deadline can be paused where you reasonably need clarification to respond effectively to the SAR. It can also effectively start once you have received information needed to verify identity or authority, or once you receive a fee where a valid fee request has been made.
You cannot ask for clarification as a routine delaying tactic. You should only ask where clarification is genuinely needed, such as where the request is unclear or you hold a large amount of information about the person and cannot provide an effective response without narrowing the scope.
If the person does not clarify, you should not automatically refuse the request. You should wait a reasonable period, and where appropriate carry out a reasonable search based on the information you do have.
Manifestly Unfounded Or Excessive Requests
In most cases, SARs must be answered free of charge. However, you can refuse to comply or charge a reasonable fee where a request is manifestly unfounded or excessive. You can also charge for further copies of information that has already been provided.
A request may be manifestly unfounded where the person clearly has no genuine intention of exercising their right of access, or where the request is malicious and intended mainly to harass or disrupt. A request may be excessive where it is repetitive or clearly disproportionate in the circumstances.
This remains a high threshold. If you refuse or charge, you must be able to justify the decision. Keep evidence of why you reached that view, what alternatives you considered and what you told the requester.
Aggressive wording alone will not usually be enough. A request linked to an employment dispute is not automatically invalid either. The person’s motive does not usually matter unless you are relying on the manifestly unfounded or excessive provisions.
The 19 June 2026 Complaint Handling Requirement
From 19 June 2026, organisations must have a process for handling data protection complaints. This applies to complaints from people who believe their personal data has been used in a way that breaches data protection law.
You must give people a way to complain to you, acknowledge the complaint within 30 days, take appropriate steps to respond, keep the person informed and tell them the outcome without undue delay.
This directly affects SAR templates. A SAR response should now explain both the right to complain to the ICO and the right to raise a data protection complaint directly with your organisation. It should also explain how that complaint can be made.
If your SAR template has not been updated since before the Data (Use and Access) Act changes, it needs reviewing.
Where Your Data Actually Lives
The reasonable and proportionate search standard only works if you know where personal data sits.
For most SMEs, personal data is spread across email, Teams, SharePoint, OneDrive, CRM systems, HR platforms, payroll records, accounting tools, archived mailboxes, ticketing systems and backups. Some data may also sit in unsanctioned tools, old folders or systems that were never fully decommissioned.
That is why SARs are often an IT problem as much as a legal one.
| Data source | Where personal data typically sits | Search tool |
|---|---|---|
| Exchange Online or Google Workspace | Microsoft Purview Content Search or Google Vault | |
| Teams messages | Teams chats and channels | Microsoft Purview Content Search |
| Files | SharePoint and OneDrive | Content Search or SharePoint search |
| HR and payroll | HR system or outsourced provider | Platform export or provider request |
| CRM | Salesforce, HubSpot or similar | Platform-specific export |
| Accounting | Xero, Sage, QuickBooks or similar | Platform-specific export |
| Backups and archives | Backup platform or archive tool | Service-specific search or extraction |
| Legacy systems | Old servers or SaaS accounts | Manual review or specialist extraction |
Microsoft Purview Content Search can help search across Exchange, Teams, SharePoint and OneDrive in a structured, repeatable way. It does not solve every problem, but it gives you a defensible method if your Microsoft 365 environment is properly configured.
This connects directly to Microsoft 365 backup. Backups created for recovery may still contain personal data. The distinction explained in cloud to cloud backup matters because native retention is not the same as a separate backup you can search, restore or evidence. The common cloud backup mistakes that cause recovery problems can also cause SAR problems. As a cloud backup company, we see both sides of that issue. Google Workspace backup raises the same point for organisations using Google rather than Microsoft.
An Office 365 assessment can show what is inside your tenant and how it is organised. The useful Office 365 features article explains some of the tools many businesses already have. A capable managed it support services company should be helping you understand this, and IT service management is what keeps the structure tidy enough for SARs to remain manageable.
Practical Steps For SMEs
Every business should have a simple SAR process in writing.
Start with a named owner. If nobody is responsible, SARs get missed, misrouted or answered late.
Create a written procedure covering how you recognise SARs, verify identity, seek clarification, search systems, redact third-party data, review exemptions, provide the response and log the outcome.
Test your search tools before a request arrives. If you use Microsoft 365, run a trial Content Search so you know what it covers and how results are exported. If you use Google Workspace, understand Google Vault or your backup provider’s search tools.
Update your response templates. They should now include the person’s right to complain to you about data protection concerns, how they can do that, and their right to complain to the ICO.
Also create a complaint handling process for follow-up complaints about SAR responses.
Why IT compliance matters explains why these processes need board-level attention. SAR handling is not just a paperwork task. It depends on systems, access control, retention, security and accountability.
Security is part of the same picture. Password best practices, Microsoft Intune, endpoint security for remote teams, endpoint hardening steps and why EDR matters all help keep personal data accessible only to the right people.
Phishing remains a common cause of unauthorised access to personal data. As an anti phishing company new york and London businesses use, we see credential compromise feeding data access incidents regularly. Anti-phishing controls, anti-phishing basics and guidance on how to create an anti-phishing policy all reduce that risk. Dark web monitoring london gives early warning when credentials surface. A business continuity plan helps when a security event triggers both an incident response and a wave of SARs.
Cross-Border And Multi-Site Realities
If your organisation operates across more than one country, SARs become more complicated. UK GDPR and EU GDPR are similar, but they are not identical in procedure, regulator expectations or local implementation.
The Data (Use and Access) Act changes apply to UK-regulated processing. EU processing remains subject to EU GDPR and the relevant supervisory authority. If the same requester’s data sits across UK and EU systems, you need to coordinate the response carefully.
Our european support services and global it support services help businesses manage data governance consistently across jurisdictions. If you are consolidating platforms or moving systems, that is a good time to map personal data properly. Our platform migration company work builds that into migration planning.
The full range of services and our consulting team can help scope what good SAR management looks like for your setup. The benefits of working with a capable managed it support services company are also covered in the benefits of outsourcing your IT to an MSP. Our network penetration testing and security services support the security layer beneath your data governance.
Frequently Asked Questions
What Changed About SARs On 5 February 2026?
The law now makes clear that organisations only need to carry out reasonable and proportionate searches when responding to SARs. It also places the stop-the-clock clarification rule into statute and clarifies how time limits apply where identity verification, clarification or a valid fee request is needed.
Does Reasonable And Proportionate Mean We Can Ignore Some Data?
No. You still need to search the systems where the requester’s personal data is reasonably likely to be found. You do not have to conduct an unlimited search of every possible backup, archive or legacy system if doing so would not be reasonable or proportionate. The search scope should be documented.
Can We Charge For A SAR?
Usually no. You can only charge a reasonable fee in limited circumstances, such as where the request is manifestly unfounded or excessive, or where the person asks for further copies of information already provided.
When Can We Stop The Clock?
You can pause the deadline where clarification is genuinely and reasonably required to respond effectively. The deadline can also depend on when you receive information needed to verify identity or a fee where a valid fee request has been made. You should not use clarification as a delay tactic.
What Do We Need To Add To SAR Templates From June 2026?
Your SAR response should explain the person’s right to make a data protection complaint directly to you, how they can do that, and their right to complain to the ICO.
What If Our Data Is Too Scattered To Respond Within A Month?
The reasonable and proportionate search standard helps, but scattered data is still a governance problem. A data map, properly configured Microsoft 365 or Google Workspace search tools, and clear ownership of SAR handling will make future requests much easier to manage.
The Sensible Next Step
If you do one thing after reading this, test Microsoft Purview Content Search or your equivalent tool and understand what it covers. If you do a second thing, update your SAR response template so it includes the complaint information required from 19 June 2026. If you do a third, create a simple data map showing where personal data sits across your business.
If you would like help mapping your data estate, configuring Microsoft 365 compliance tools or building a SAR process that stands up to scrutiny, speak to Northern Star. We will help you get the IT foundations right so the data protection side becomes manageable rather than something you dread.
