GDPR

How to request your personal data under GDPR in the UK?

Published:

Two women are having a friendly discussion.
Home » Articles » How to request your personal data under GDPR in the UK?
GDPR refresher course recently updated
Just updated! View the new course here.

Ever wondered what information companies, government bodies, or other organisations hold about you? Perhaps you’re curious about what your bank knows, what data your employer keeps, or what your doctor has on file. The good news is that in the UK, you have a legal right to find out—and it’s easier than you might think.

What is a Subject Access Request?

A Subject Access Request (SAR) is your legal right to ask any organisation if they’re using or storing your personal information. It’s a powerful tool that puts you in control of your data, and the best part? You don’t need a solicitor or legal expertise to make one.

Under UK data protection law, organisations must tell you what information they hold about you, how they’re using it, and who they’re sharing it with.

What Can You Request?

You can ask for:

  • All the personal information an organisation holds about you
  • Specific information, such as medical records, employment files, or customer service notes
  • Details about how your data is being used
  • Information about who your data has been shared with

Top Tip: Being specific about what you want often leads to faster, more useful responses. Rather than asking for “everything,” try requesting particular types of information relevant to your situation.

How to Make a Request

Making a Subject Access Request is straightforward. You can submit one through:

  • Online: Many organisations have SAR forms on their websites
  • Email: Send a clear email with your request
  • Post: Write a letter to the organisation
  • Phone: Call and make your request verbally
  • In person: Visit the organisation directly

What to Include in Your Request

Make your request clear by including:

  1. The words “subject access request” in your subject line or opening
  2. Your full name and contact details
  3. Any reference numbers or account numbers that identify you
  4. A clear description of the information you’re requesting
  5. Your preferred method for receiving the information (email, post, etc.)

Where to Send It: Check the organisation’s privacy notice or website—they should list a contact address specifically for data requests.

How Long Should It Take?

Organisations have one month from receiving your request to respond. In complex cases, they may extend this by up to two additional months, but they must tell you why and when you’ll receive a response.

Important: Most organisations cannot charge you a fee for a basic SAR, though they may charge reasonable costs for additional copies or if your request is clearly excessive.

Requesting Data on Behalf of Someone Else

You can make a request for another person, such as a child or someone you have power of attorney for, but you’ll need to prove you have permission. The organisation may ask for:

  • Written permission from the person
  • A power of attorney document
  • Other proof of your authority to act on their behalf

What If You Don’t Get a Response?

If a month passes and you haven’t heard anything, don’t worry—you have options.

Step 1: Follow Up Directly

Send a polite follow-up email or letter to the organisation. Sometimes requests get lost or delayed, and a gentle reminder can get things moving. Keep copies of everything you send.

Step 2: Make a Formal Complaint

If you still don’t receive a satisfactory response:

  1. Contact the organisation’s complaints department
  2. Clearly state that you made a Subject Access Request on [date]
  3. List any missing information or problems with their response
  4. Request a full response within one month

Keep Records: Save copies of all your correspondence—emails, letters, and notes from phone calls. This creates a paper trail if you need to escalate.

Step 3: Complain to the ICO

If the organisation still doesn’t respond properly, you can complain to the Information Commissioner’s Office (ICO)—the UK’s independent data protection regulator.

Important Timing: You must complain to the ICO within three months of your last meaningful contact with the organisation.

When you complain to the ICO:

  • Provide copies of your original request and any responses
  • Include your follow-up correspondence
  • Explain what’s missing or unsatisfactory

What the ICO Can Do:

  • Give advice and guidance to the organisation
  • Investigate your complaint
  • Order the organisation to take specific action
  • In serious cases, punish organisations that break the law with fines

What the ICO Cannot Do:

  • Act as your personal representative
  • Award you compensation
  • Take legal action on your behalf

If you’re considering legal action for compensation, you’ll need to seek independent legal advice and potentially take the matter to court yourself.

What If Your Request Is Refused?

Organisations can sometimes refuse all or part of your request, but they must have a valid legal reason. If they refuse, they must explain why and inform you of your right to complain to the ICO.

Common reasons for refusal include:

  • The request would reveal information about other people
  • The information is legally privileged
  • The request is manifestly unfounded or excessive

If you believe a refusal is unjustified, you can follow the complaint process outlined above.

Final Tips for Success

  1. Be specific: The clearer your request, the better the response
  2. Be patient but persistent: Give organisations the full month, but don’t hesitate to follow up
  3. Keep everything: Maintain copies of all correspondence
  4. Know your rights: Organisations must comply with your request—it’s the law
  5. Don’t be intimidated: Subject Access Requests are a normal part of data protection, and you don’t need legal help to make one

Why This Matters

Your personal data says a lot about you—from your health and finances to your habits and preferences. Knowing what organisations hold and how they’re using it helps you:

  • Spot and correct mistakes in your records
  • Understand how your data influences decisions about you
  • Ensure organisations are treating your information responsibly
  • Exercise your wider data protection rights

Whether you’re checking your credit file, reviewing medical records, or simply curious about what a company knows, making a Subject Access Request is your right. Don’t be afraid to use it.

Need More Help?

Visit the Information Commissioner’s Office (ICO) website at ico.org.uk for template letters, detailed guidance, and information about making a complaint.

Remember: your data, your rights, your control.

Author

  • Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance. With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development. Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Popular posts on Measured Collective

  1. What the ICO Says About Data Protection Refresher Training
  2. Bristol City Council ICO Enforcement Case: Falling Behind On Subject Access Request Compliance
  3. Can an individual get a GDPR fine?
  4. Understanding GDPR Data Subject Access Requests: A Practical Guide for Organisations
  5. Do I need to train my team about data protection – what does the ICO say in 2025?

Available to start immediately:

GDPR Online Training Course

There's no time like now, to give your team the training they need.

Read more:
Do I need ongoing GDPR training?

New to the site