Responding to Subject Access Requests
Solicitor, Jack Horwitz talks us through James Pavur's study and how to best review Subject Access Requests.
Ever since the General Data Protection Regulation (“GDPR”) came into force on 25 May 2018, responding to Subject Access Requests (“SARs”) has become an almost day to day job for plenty of businesses.
This boom in the number of SARs can largely be put down to two main factors:
- The first is the increased awareness amongst the general public of their own data protection rights, resulting from the publicity surrounding GDPR coming into force and a number of high profile data protection-related news stories, such as the Cambridge Analytica affair.
- The second key reason is that there is no longer any fee payable (unless the request is “manifestly unfounded or excessive”, in which case a reasonable fee may be charged). Under previous legislation, a £10 fee could be charged by businesses to the individual making the request. It seems that the removal of this small barrier has opened the floodgates.
As well as opening the door for many legitimate (and some spurious) SARs, the removal of the £10 fee has also made the SAR into another potential tool for hackers to use when seeking to obtain personal data which can then be used for identity theft purposes.
A recent study carried out by James Pavur, a PhD student at Oxford University, demonstrated the vulnerabilities created by the sheer number of SARs most businesses face nowadays. The volume of requests, and the relatively short period in which to respond (only one month), creates significant pressure on the employees tasked with dealing with SARs. This, coupled with the potentially huge fines which can be levied under GDPR, creates an environment in which the prevailing attitude can end up being one of “get the response over and done with without asking too many questions”.
Mr Pavur’s theory is that this regulatory framework may lead to SARs being responded to without the business having confirmed the identity of the individual actually making the request. In order to test this theory, Mr Pavur sent out 150 SARs in the name of his fiancée. The aim of the experiment was to obtain as much personal information about his fiancée as he could, without the various businesses finding out that it was not actually his fiancée making the request (for those wondering, she was complicit in this experiment!).
The results are either interesting, or quite concerning, depending on your viewpoint. 24% of the companies responded on the basis of nothing more than an email address and phone number, and sent over all data they had on Mr Pavur’s fiancée. A further 16% requested some ID, which Mr Pavur described as ID that could be “easily forged”.
Other companies asked for log in details to prove identity. However, one of these companies sent over all the personal data it held after Mr Pavur simply told them he had forgotten the log in details.
The information received by Mr Pavur ticks all of the boxes for the type of personal data a hacker could use to carry out all kinds of identity theft online: social security number, date of birth, mother's maiden name, 10 digits of a credit card number, credit card expiration date, card type and postcode.
The advice for businesses off the back of this study is clear: you must be certain of the identity of the individual making the SAR or, where it is made on behalf of another person, that the individual making the request has the proper authority.
GDPR does provide companies with the power to request information necessary to confirm identity, where there are “reasonable doubts” about the identity of the person making the request. However in the time pressured environment of having to respond to SARs within a month, it is easy to see how asking for appropriate ID gets overlooked.
Don’t be afraid to use the powers granted by GDPR if you have any doubts at all about the identity of the individual making the request. Sending out personal data to a hacker in response to a fraudulent SAR is likely to be a data breach in its own right, thereby turning what is an attempt to comply with GDPR into a whole new set of data protection issues for an organisation.
If you have any questions regarding the above, please feel free to email Jack Horwitz at jhorwitz@leathesprior.co.uk. or visit the website for more information.
Note: The content of this article is for general information only and does not constitute legal advice. Specific legal advice should be taken in any specific circumstance.
Charity of the Month: Sue Lambert Trust
Leathes Prior is delighted to be supporting the Sue Lambert Trust as our Charity of the Month for February 2026. Sue Lambert Trust is a leading charity in Norfolk offering free therapeutic counselling and support services to survivors of sexual violence and abuse.
Supreme Court ruling set to impact NHS - Children injured by NHS can claim damages for lifetime lost earnings
In February 2026, the Supreme Court passed a ruling which is set to significantly increase the amount of damages the NHS may have to pay for claims brought in respect of children injured at birth, as a result of medical negligence.
.jpg)
The Value of Planning Ahead: LPAs & Court of Protection
Putting LPAs in place allows you to choose trusted people to make decisions for you if you lose capacity in the future. This avoids the need for loved ones to make a costly and time-consuming deputyship application to the Court of Protection. With more people likely to experience conditions affecting capacity, more families may need to turn to the Court for support where no LPAs are in place.
Charity of the Month: Sue Lambert Trust
Leathes Prior is delighted to be supporting the Sue Lambert Trust as our Charity of the Month for February 2026. Sue Lambert Trust is a leading charity in Norfolk offering free therapeutic counselling and support services to survivors of sexual violence and abuse.
Supreme Court ruling set to impact NHS - Children injured by NHS can claim damages for lifetime lost earnings
In February 2026, the Supreme Court passed a ruling which is set to significantly increase the amount of damages the NHS may have to pay for claims brought in respect of children injured at birth, as a result of medical negligence.
The Value of Planning Ahead: LPAs & Court of Protection
Putting LPAs in place allows you to choose trusted people to make decisions for you if you lose capacity in the future. This avoids the need for loved ones to make a costly and time-consuming deputyship application to the Court of Protection. With more people likely to experience conditions affecting capacity, more families may need to turn to the Court for support where no LPAs are in place.
The case of the fake cases: another judgment on AI-hallucinations in litigation
The use of AI Large Language Models in litigation continues to generate headlines (and consternation from the judiciary). In 2025, it seemed that rarely a month went by without a new case on fake AI-generated case law. December was no exception, and the High Court has now issued a further warning regarding the use of AI by litigants.
Autumn Budget 2025: Agricultural Property Relief & Business Property Relief Changes
It was announced in the 2025 Budget that from 6 April 2026, changes will be made to agricultural property relief and business property relief. These changes bring APR and BPR in line with the nil-rate band rules, meaning unused allowances can be transferred to a surviving spouse or civil partner. This is a significant step towards making estate planning easier for families who own farms or businesses.
.jpg)
The Employment Rights Act 2025 is expected to come into force tomorrow (18 December 2025)
After an extended period of back-and-forth amendments between Parliament and the House of Lords, on 16 December 2025, the ERB finally received approval from the House of Lords, with the formality of Royal Assent due to take place tomorrow (18 December 2025). Head of LP Employment, Dan Chapman, explains...
Charity of the Month: The Matthew Project
Leathes Prior is delighted to be supporting The Matthew Project as our Charity of the Month for December 2025. The Matthew Project supports young people and adults across Norfolk, Suffolk, and Essex to overcome issues around drugs, alcohol, and mental health, empowering them to rebuild confidence and lead fulfilling lives.
Leathes Prior’s Milan Pandit appointed President of the Norfolk & Norwich Law Society
Leathes Prior Solicitors is proud to announce that Milan Pandit, Solicitor in our Corporate & Commercial Team, has been appointed President of the Norfolk & Norwich Law Society (NNLS) for 2025/26.
Commercial Lease Renewals: A guide for Landlords & Tenants
Commercial lease renewals are a topic that every commercial landlord and business that rents commercial premises should have at the forefront of their minds. It is essential for good succession planning, though it is often neglected until the expiry of an existing lease term is looming or once the existing term has come to an end and the tenant is holding over. In this article, our newly qualified solicitor, Maggie Berry explores the process that landlords and tenants can expect when navigating this complex area of law.
Our Guidance, Your Legacy: What is a Will, and why should I make one?
Not only is a Will one of the most important steps you can take to protect your loved ones and ensure your wishes are respected, but it also limits the likelihood of a claim/dispute following your death. To ensure your loved ones and the causes you care about benefit from your estate, a Will is essential to ensuring this happens. Find out more in this article.
Lease extensions: The essentials to getting started
Extending your lease can seem complex, but taking the right steps early can make the process much smoother. Jake Mowatt, Associate and Harry Smith, Trainee Solicitor in our Residential Property Team outlines the key essentials every leaseholder should understand prior to extending their lease.
Upcoming changes to bringing employment law claims: What these mean for you
The highly anticipated Employment Rights Bill (ERB) is set to increase the time limits in which employees can bring an employment tribunal claim. Gareth Stevens & Rose Woolterton explain what this means for employers & employees.
