Can You Charge for a Subject Access Request (SAR)?

SARs take up time and resources – but can you charge the individual requesting your effort? 

In this article, we’ll answer that question. We’ll discuss the exceptions where you can charge for a SAR and the rules and regulations governing those circumstances.

What the Law Says

GDPR law says that you must generally be provided free of charge. However, there are some exceptions where you can charge a “reasonable fee”. 

“Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information; or (b) refuse to act on the request.” – Article 12(5) UK GDPR. 

When Can You Charge for a SAR?

The two main circumstances where you can charge for a SAR are when the SAR is manifestly “unfounded” or “excessive”. 

“Unfounded” means that the individual clearly has no real intention of exercising their right, i.e. a request that’s made purely to cause disruption or harassment. This could be a former, disgruntled employee who makes a SAR every week to make as much work as possible for the company. 

An “excessive” SAR is one that is repetitive or requests a disproportionate volume of data with little value or justification. For example, you’re the owner of a small business, and a former worker requests all the information that you hold on them. An initial search results in 3,000 emails, which you may  consider burdensome on your resources to handle the request. 

What Does “Reasonable Fee” Mean?

The law says that you can charge a “reasonable fee” for these circumstances, if you choose to respond to the request (as opposed to refusing it outright). But what constitutes “reasonable”?

The fee should cover the administrative costs of dealing with the request, i.e.:

• • Staff time:
    • Assessing whether or not you’re processing the data
    • Locating, retrieving and extracting the data
    • Communicating the response to the individual, even if you’re not providing the data
  • Printing and postage
    • Or other associated costs of transferring the data

• Cost of media (USB stick, CD, etc.)

You should charge fees in a proportionate and consistent way. It’s best practice to include a copy of the criteria you’re using to create the fee in your SAR policy, so you can justify the cost.

How to Handle SAR Fees

Best practice when handling subject access requests that might qualify for charging a fee:

• • Assess whether the request meets the criteria for a fee.
  • Inform the requester as soon as possible:
    • Explain why the request is excessive or unfounded.
    • Provide a fee estimate.
  • Document your decisions as you go along so you can provide reasoning to the ICO if necessary.

• Pause the clock: the 1-month SAR response time doesn’t start until the fee is paid.

What Happens If You Get It Wrong?

You must be sure that charging for a SAR is justifiable – if you get it wrong, you could face punishment from the ICO or end up in court. An individual can complain to the ICO if they feel that you’re wrong to charge a fee, so it pays to be cautious.

One key example of a company getting it wrong is the case of Dawson-Damer v Taylor Wessing LLP, where the company withheld information and implied a fee should be charged. The court ruled that Taylor Wessing had not proven that the request was disproportionate, confirming that it is up to the data controller to demonstrate the request’s difficulty, not the other way around.

Need Help Reviewing a SAR?

Our experts can help with the full SAR lifecycle, from consulting on your processes to reviewing and redacting data to responding to the requests themselves. Get in touch today.

Best Practice for Handling SARs From a Third Party

A direct Subject Access Request (SAR) can be complex enough; when a third party gets involved, it only gets more so. They can feel overwhelming to deal with, but with our guidance, you’ll understand what a SAR from a third party is and how to handle it.   

The Basics: What Is a SAR from a Third Party?

A SAR from a third party, or a third-party SAR, is a Subject Access Request made on behalf of someone else with their consent. It could be made by a legal representative, a parent or guardian, someone with power of attorney or a family member or friend. 

The third party must provide evidence of their authority to act on the individual’s behalf, such as written consent. 

Note: Third-party SARs also refer to requests that include data about a third person, but for the purpose of this blog, we’ll refer to them as ‘SARs from third parties’. 

Key Legal Requirement: Authority to Act

As a business, you must verify that the third party has written authority to act on behalf of the data subject before doing anything else. This could be:

• Signed letter of consent
• Power of attorney
• Solicitor’s letter confirming representation

If you need clarification, ask before proceeding. 

If there isn’t any evidence that the third party has the relevant authority to make a SAR, then you aren’t required to comply, but you should respond and explain this to them.

Types of Third-Party Requests (and How to Handle Them)

Solicitors

When solicitors make subject access requests, it is usually related to legal claims, such as employment disputes or personal injury claims. 

You should:

• Confirm the identity of their client
• Specify what data is being requested

SARs used for litigation disclosure purposes may still be valid SARs. Unfortunately, you can’t reject them just because they’re tactical. When can you refuse a SAR? If you’re unsure, then we can help support you.

Parents Requesting On Behalf Of Children

A parent might make a SAR for their child’s school attendance or performance, or for information that social services keep. 

When parents request on behalf of their child, you should check the age and capacity of the child. If they are younger than 13, parents can usually make a request. If they are 13 or older, check whether the child can understand and exercise their rights themselves—you should usually get the child’s permission first. 

You should always prioritise the child’s interests over the parent’s.

Power of Attorney or Legal Guardianship

There are lots of reasons why someone might use a Power of Attorney to make a SAR on their behalf, but the main reason is that they lack mental capacity or are otherwise unable to manage their own affairs. For example, a Power of Attorney can make a Subject Access Request to the NHS for health reasons.

As a business, you must request a copy of the legal document that authorises them to make a SAR.

Verifying Identity and Authority

You are responsible for protecting the data, so you shouldn’t release anything until:

• You have confirmed the identity of the data subject AND;
• You have confirmed the third party’s right to act on their behalf.

Acceptable forms of ID include a passport, driver’s licence, etc. If you’re not sure, you can ‘pause the SAR clock’ by requesting more information, which pauses the one-month response deadline until the requester provides adequate details.

Best Practices for Handling SARs from Third Parties

SARs from third parties are valid, but you must conduct due diligence to ensure the requester has the proper authority. Businesses must strike a balance between the data subject’s rights and safeguarding others.

For best practice when handling these SARs:

• • Have a SAR policy that includes handling third-party requests. 
  • Train staff to recognise valid vs invalid requests.
  • Create a SAR verification checklist to ensure proper procedures are followed.

• Keep a record of all decisions, especially refusals or redactions.

Need Help with Complex SARs? 

From creating strategies for your request processes to reviewing and redacting data, our team of experts can support you every step of the way. Get support today.

What Does a Data Protection Officer (DPO) Do?

The UK GDPR is a complex piece of legislation. You can try to understand the legalese and juggle your requirements along with your day-to-day role, or you can appoint a DPO. 

A data protection officer is an independent expert responsible for keeping your business compliant with the law. Compliance underpins everything they do. That’s why companies choose to outsource their DPO to avoid a conflict of interest.

In this article, we will uncover the DPO requirements as set out in:

• Part 3, Chapter 4 of the Data Protection Act (2018)
• Articles 37-39 of the GDPR 

1. What Are the Tasks of a DPO? 

A data protection officer must perform the following tasks:

• Provide Guidance to Management & Employees
• Improve & Monitor GDPR Compliance
• Advice on Data Protection Impact Assessments
• Cooperate with the Commissioner
• Become the Commissioner’s Main Point of Contact
• Provide Guidance to Management & Employees

A DPO informs and advises the data controller (the business), its employees and any data processors that handle personal data on its behalf. 

As a GDPR expert, the DPO will keep these parties aware of their obligations under the UK GDPR, along with other data protection laws relevant to the controller’s operations. For example, if you transfer data from one country to another, your DPO will hold you accountable to both the UK GDPR and the country’s legislation. 

The Data (Use and Access) Act (DUAA) 2025 is simplifying international data transfer – find out more in our guide. 

A DPO is a purely advisory role, so they can’t make decisions for you. As a controller, you can even choose to reject their advice, but it would be wise to implement it or face the repercussions later on. 

2. Monitor GDPR Compliance

Along with advising, a DPO also monitors compliance with the UK GDPR and other data protection laws. This includes:

• Ensuring the relevant data protection policies are implemented and raising awareness of them 
• Assigning responsibilities under those policies 
• Bringing attention to data protection concerns
• Conducting or overseeing data protection training
• Conducting internal GDPR audits 
• Managing data protection obligations 

By completing these tasks, a DPO ensures your business maintains – or improves – its compliance with the UK GDPR. 

3. Advise on Data Protection Impact Assessments (DPIA)

Businesses that require a DPO are typically those with high-risk and/or large-scale processing activities. At times, these businesses will need to complete a risk assessment, otherwise known as a DPIA, when starting a new processing activity.

A data protection impact assessment is required by law only if:

• You process special category and criminal conviction data on a large scale.
• You systematically monitor public areas on a large scale.
• You plan to use automated decision-making to conduct systematic and extensive evaluations of an individual. For example, you may use software to automatically filter job applications based on a specific criteria. 

The ICO also include several other high-risk activities that may require a DPIA, which are not included above.  

The DPO is expected to advise and monitor these assessments, but not complete them on your behalf. Remember, DPOs are advisors, not ‘doers’. That is, unless they are an existing employee who may be spinning multiple plates to move compliance work over the line. 

4. Cooperate & Liaise with the Commissioner

The DPO must be a point of contact for the Information Commissioner (or ‘ICO’) on all data protection issues. This includes reporting on data breaches, subject access requests (SARs), and any other concerns related to non-compliance. 

A DPO operates independently, so while performing a task like this could jeopardise your business, you cannot dismiss or penalise them for doing so. It’s part of their job. This proactivity will help you avoid fines later down the line. 

5. Serve as the Point of Contact for Data Subjects

A DPO must also be the designated contact for individuals whose data is being processed. These individuals are known as data subjects and could be your employees or customers. 

When an individual submits a SAR, a data protection officer will handle the communication between the business and the person. The DPO will also guide the controller on collating and reviewing the requested information, ensuring the final response is delivered in a timely manner. 

Can a Data Protection Officer Carry Out Other Tasks?

Yes, if you have an internally appointed DPO, they can carry out other duties. These duties or tasks, however, must not result in a conflict of interest. 

If a DPO has two roles, the organisation must ensure that there are rules implemented to avoid or minimise conflict of interest. You must assess what each role entails and be prepared to provide evidence of why you have done so. 

What Are an Employer’s Duties When Appointing a DPO?

As an employer, you must create an environment that allows your DPO to:

• Report to the highest management level of the controller
• Participate in all matters related to personal data protection in a timely manner.
• Be provided with the necessary resources to perform their tasks and maintain their expertise in data protection law and practice.
• Be able to act independently, without receiving any instructions regarding their data protection tasks.
• Avoid conflicts of interest by not performing any other tasks that would create one.
• Not to be dismissed or penalised for performing their official duties

Is Your Business Fully GDPR Compliant? Speak to Our Outsourced DPOs Today

Our outsourced data protection officers bring extensive knowledge in all areas of the UK GDPR. You can choose to outsource all your DPO obligations, or they can work alongside your team to fill in the gaps. 

We offer a range of services to meet business requirements, so please get in touch to see how we can help. 

Ransomware Strikes London Nurseries

Ransomware Strikes London Nurseries – A Wake-Up Call for Child Data Security

What Happened?

In early October 2025, the Met Police announced the arrest of two 17-year-olds in Bishop’s Stortford on suspicion of computer misuse and blackmail, after a ransomware attack on Kido International, a London nursery group. The attackers, calling themselves “Radiant”,  stole personal data on roughly 8,000 children (names, photographs, addresses and parent contacts) from the nurseries’ cloud system.

They then threatened to publish more records unless Kido paid about £600,000 in Bitcoin. A small sample of 10 children’s profiles was posted on a dark-web site to pressure the company, and the group even began phoning parents directly. (After public outcry the hackers later blurred and claimed to delete the images.) Kido says the breach came via its nursery software provider Famly, although Famly insists its own infrastructure was not compromised. Regardless, the data loss forced Kido to notify authorities (via Action Fraud) and affected families.

Metropolitan Police Head of Economic and Cybercrime Will Lyne urged calm but vigilance, noting that specialist investigators have been working “at pace” on the case. He acknowledged that such reports “can cause considerable concern” for families, but reassured the public that the matter is being “taken extremely seriously”. These arrests, though welcome, are only a “significant step” in the ongoing investigation to bring the perpetrators to justice. The police continue to gather intelligence and warn that the inquiry is far from over.

Why Children’s Data Is So Valuable

Children’s personal data is a prised commodity for fraudsters. In the U.S., for example, child identity fraud has long been a hidden epidemic, costing victims nearly $1 billion per year. Because children have clean credit histories (and typically don’t monitor their credit until adulthood), their stolen data can be used to open accounts or commit financial fraud undetected. As one report notes, an infant’s information essentially provides a “clean credit history” for criminals, since child identity theft often goes unnoticed for years. Criminals prise children’s records for the same reason: they are fresh, untarnished by previous misuse, and can fuel years of fraudulent activity. In short, any breach of nursery or school data exposes families to the risk of long-term identity theft and financial loss.

Education and childcare organisations have become major ransomware targets. Early years settings handle highly sensitive personal information and even payments, making them “appealing target[s] for cybercriminals due to the sensitive information they hold,” according to the UK’s National Cyber Security Centre (NCSC). The risk is acute: schools and nurseries often hold medical records, safeguarding notes, and other sensitive data on each child, plus contact details for parents. Like healthcare, the education sector has very low tolerance for downtime; attackers know institutions may pay to restore operations quickly. Indeed, the ICO has reported that student attackers themselves are behind many school data breaches. 57% of insider breaches in UK schools (2022–24) were caused by pupils exploiting weak passwords or misconfigured systems. Whether the threat comes from external gangs or curious teens, regulators say the findings are “worrying” and urge education settings to step up cybersecurity immediately.

Recommendations for Nurseries and Education Providers

To protect children’s data and comply with UK GDPR and the Data Protection Act, nurseries should implement strong security and incident-preparation measures. Key steps include:

Risk Assessment and DPIAs

Treat any system holding children’s records as high risk. Conduct a Data Protection Impact Assessment that explicitly considers children’s rights, as required under the ICO’s Age-Appropriate Design Code. Classify large databases and any children’s personal data as requiring enhanced security.

Technical Controls

Follow NCSC ransomware mitigations and the ICO’s guidance on data security. This means patching devices promptly, using firewalls and anti-malware tools, and enforcing strong access controls (unique accounts, least privilege, multi-factor authentication) on all systems containing pupil or staff data. Where possible, encrypt sensitive files and emails, so that stolen data remains unreadable.

Backup and Recovery

Maintain up-to-date, offline or air-gapped backups of all critical systems and data. Test your disaster recovery plan regularly. If systems are encrypted by ransomware, you must have a way to restore operations from backups without paying the ransom.

Staff Training and Policies

Provide staff with regular cybersecurity awareness training (phishing simulations, password hygiene, device security). Train reception and finance teams especially, since attackers often use phone calls or fake invoices to breach schools. Remind all employees that data protection is not “just an IT problem”,  even leaving a tablet unlocked or sending information to personal email can cause reportable breaches. Refresh UK GDPR and security training at least annually, as recommended by the ICO. You can learn more about our Data Protection Training programmes here.

Third-Party Oversight

Vet any outsourced providers (like cloud software or payroll firms). For example, Kido’s incident involved a nursery-management app. Make sure contracts require prompt breach notification by vendors, and verify their compliance with GDPR. If a supplier reports a security issue, treat it as a potential breach of your own data.

Incident Response Plan

Prepare and practice an incident response plan (use the NCSC’s “Exercise in a Box” tool). Define roles and notification procedures in advance. Know the legal requirements: under UK GDPR, report any personal data breach that poses a risk to individuals to the ICO within 72 hours, and inform affected families without undue delay. The ICO’s ransomware guidance emphasises having an IR plan with clear thresholds for ICO and data-subject notification. Remember that loss of availability (ransomware lockout) is itself a notifiable personal data breach.

Cyber Essentials and Audits

Consider certification under Cyber Essentials (basic cybersecurity standard for UK organisations) and perform regular security audits or penetration tests. Keep logs of access and reviews of user accounts, and rectify any dormant or excessive privileges. Learn more about our Data Protection Support services to help with audit readiness.

Guidance for Parents

Parents and carers play a key role in mitigating risk. The Kido attack shows that no data is 100% safe once breached, but families can take precautions:

Verify Communications

Ignore unsolicited calls, texts or emails demanding payment or personal information. In this case, parents were directly threatened by the attackers, if your child’s nursery contacts you, expect it to be through official channels (direct lines or named staff). If in doubt, hang up and call the nursery’s main office or law enforcement.

Protect Personal Data

Limit how much your child’s identifying information you share online. Avoid posting school ID numbers, addresses, or birthdays alongside photos on social media. Even innocent sharing can give fraudsters clues. Teach older children not to divulge personal details to strangers or on public forums.

Monitor for Identity Theft

Consider checking or freezing your child’s credit files. In the UK, parents can request a report for their child (or freeze it) with major credit agencies once the child is old enough to have a credit file. If you suspect your child’s identity has been misused, report it to Action Fraud and the relevant financial institutions immediately. The long-term impact of child ID theft can linger (as in a noted case where a teen only discovered years later that her infant data was used to open accounts).

Follow Official Guidance

Stay informed via reputable sources. The NCSC and ICO both stress the importance of baseline security for families, such as using strong unique passwords and up-to-date software on home devices. The NCSC has published specific advice for early years settings and for individuals worried about breaches. Resources like GetSafeOnline.org and the ICO’s breach recovery guides can help you and your child respond to any suspicious activity.

Conclusion

This incident is a stark reminder that even trusted institutions can be breached, and that children’s data is uniquely valuable to cybercriminals. While law enforcement works to hold the culprits to account, nurseries and parents must both shore up defences and remain vigilant. Following official guidance, from the ICO and NCSC is key. By combining strong technical controls, clear policies and open communication with parents, early years providers can better protect the children in their care. Likewise, parents should use the tools and advice available to safeguard their family’s digital identity.

Sources

National Cyber Security Centre
ICO: Insider Threats in Schools
BBC News
National Crime Agency