If your app stores, processes, or analyzes health data, GDPR subject access requests (SARs) aren’t a maybe—they’re a certainty. SARs, also known as right of access requests, could be presented to a business at any time. Healthtech companies and payment institutions that manage sensitive personal data must be prepared to respond to SARs swiftly, correctly, and without triggering a compliance nightmare. This article offers a practical, step-by-step guide for teams operating without in-house legal support to set up an effective SAR process. You’ll learn what to disclose, how fast, what to redact, and how to streamline responses using tech-enabled workflows and templates.
What is sensitive personal data?
Sensitive personal data, also called “special category data” under the GDPR, refers to specific types of personal information that require extra protection due to their sensitive nature. This includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for identification), health data, and data about a person’s sex life or sexual orientation.
What is a data access request under GDPR?
A Data Subject Access Request (SAR) is a formal request made by an individual (data subject) to a company asking for access to their personal data. Under Article 15 of the GDPR, individuals have the right to:
- Know if their data is being processed
- Access copies of their personal data
- Understand the purpose and legal basis for processing
- Know the categories of data being processed
- Learn who has access to the data, including any international transfers
- Request corrections, deletions, or limitations on processing
SARs apply across sectors, but for regulated industries like healthtech and fintech, the bar for compliance is particularly high due to the nature of sensitive data.
What information must you provide (and how fast)?
Companies must respond to a SAR without undue delay and within one month of receipt. In some complex cases, this deadline can be extended by a further two months, but the data subject must be informed within the first month of receipt of the request, together with the reasons for the delay.
The response must include:
- A copy of the personal data processed
- The purposes of processing
- The categories of personal data
- The recipients (or categories of recipients) of the data
- The retention period (or criteria used to determine it)
- The individual’s rights to rectification, erasure, restriction, or objection
- The right to lodge a complaint with a supervisory authority
- Information on data sources (if not collected directly from the data subject)
- Details of any automated decision-making, including profiling
Failure to meet these requirements can result in regulatory fines and reputational damage. Importantly, there is a difference between refusing to comply with a request (which you must do in writing to the individual who raises the SAR) and ignoring or mishandling a request. The Information Commissioner’s Office sets out helpful guidance on SARs, including a deep dive into health data.
How to set up a SAR response process without a legal team
You don’t need an in-house team to set up an effective SAR response process. Here are some key steps to take, whether you’re a small healthtech startup or a growing fintech.
Identify who owns the data
Before you can respond to a subject access request (SAR), you need to know where the data lives and who can access it. In most payment or healthtech companies, the data is typically held by product teams, engineering, or customer support. These teams can extract logs, communications, and account information. Map this out early so you’re not scrambling when a request lands.
Create a SAR playbook
Without a legal team, clarity is everything. A SAR playbook documents your step-by-step response process—who does what, in what order, and how long each step should take. It should cover intake, verification, fulfillment, redaction, and final delivery. This becomes your internal source of truth and saves effort every time a new request comes in.
Designate an internal owner
Someone needs to own the SAR process end-to-end. This doesn’t need to be a privacy expert—it could be a compliance lead, operations manager, or senior support agent. The key is to give this person authority to coordinate across teams, escalate when needed, and ensure responses stay on track and within the legal timeframe.
Use a tracking system
Set up a shared SAR tracker—this could be a spreadsheet or a dedicated tool. Log every request you receive, including the date, requester identity, what’s being asked for, and your response deadline. A tracker ensures nothing slips through the cracks, which is crucial when you only have one month to respond under GDPR.
Standardise response templates
Create templates for each stage of the SAR process: initial acknowledgment, identity verification, clarification requests, and final fulfillment emails. These templates ensure consistent communication, help non-legal staff avoid risky wording, and make it faster to respond. You’ll also reduce the chances of accidentally admitting liability or missing key requirements.
Train relevant teams
Once your process is in place, share it. Train the people who’ll be involved—especially those who handle user data or customer queries. Keep the training short and practical: what to look for, when and how to escalate, and what deadlines matter. It’s not about making everyone a legal expert; it’s about making the process second nature.
Review your third parties
Don’t forget your vendors. If third-party services (like analytics, hosting, or customer support tools) process personal data on your behalf, check your data processing agreements (DPAs). Make sure they’re contractually obligated to help you respond to SARs quickly. Otherwise, your timeline could be derailed by a slow partner.
How Legal Nodes can help payment and healthtech companies handle SARs
If you're running a growing fintech, healthtech, or payment company, chances are you're handling a lot of sensitive data — and juggling complex privacy obligations without a full legal team. Legal Nodes offers a practical solution: plug-in privacy support designed to help you meet GDPR requirements without the overhead of traditional law firms.
Instead of long consultations and vague retainers, we help you get straight to what matters:
- A pre-built SAR response roadmap you can adapt and follow
- Templates for every stage of the request process, already reviewed by legal experts
- Modular access to expert support—you buy only what you need
- Transparent credit-based pricing with no hourly rates or hidden fees
You’ll stay on top of your compliance obligations with predictable costs, quick turnarounds, and deliverables vetted by certified privacy professionals. Legal Nodes is a solution for scaling teams that want to get things done—not get stuck in legal loops.
Avoiding pitfalls: redacting vs over-sharing
When fulfilling SARs, it’s easy to slip up—either by revealing too much or not sharing enough. Let’s break down the most common risks and how to avoid them.
Risk 1: Incomplete redaction
Redacting isn’t just about blacking out names. If you’re sharing chat logs, audit trails, or shared files, personal data can show up in unexpected places. One small miss could mean exposing someone else’s sensitive info.
Best practices:
- Use automated redaction tools that scan for personal identifiers
- Cross-check manually, especially in long threads or PDF attachments
- Run a peer review of every final SAR package before sending
Risk 2: Over-sharing by accident
Trying to be helpful can lead to oversharing—especially when teams extract raw data exports. If those files include details on other users, internal notes, or system logs, you might inadvertently breach someone else's privacy. You also might be sharing far too much data that is generally irrelevant to the request.
Best practices:
- Only export and share data directly related to the requester
- Avoid full database exports—filter and clean them first
- Use a checklist before sending: who is this data about, and who can see it?
Risk 3: Forgetting metadata
SARs aren’t just about what’s on the surface. Metadata—like timestamps, IP addresses, and audit logs—can also be considered personal data. But including this without review can open other risks.
Best practices:
- Review metadata fields before including them
- Be clear about what is and isn’t included in the SAR response
- If in doubt, flag metadata in your acknowledgment and clarify what's available
Some final thoughts on avoiding SAR pitfalls from our privacy team:
“The key is to balance transparency with caution,” explains Bogdan Pashynskyi. “GDPR gives users the right to know what data you hold—but it also obliges you to protect the data of others. A solid redaction and review process, paired with the right tooling, helps you meet both goals safely.”
Tools and templates to make SARs easier
Here are a few tools and frameworks that help simplify SAR workflows:
- GDPR compliance platforms (e.g. OneTrust, Mine, or Transcend) to centralise SAR management
- Template libraries for SAR acknowledgment emails, clarification notices, and fulfilment summaries
- Consent and preference managers to track user consents and lawful bases
- Auto-redaction tools for documents, logs, and emails (integrate with Google Workspace or Office365)
- Outcome roadmaps from Legal Nodes for modular privacy compliance setup
These tools don’t just save time; they reduce risk and create audit trails to demonstrate compliance.
Wrapping up: How to get SAR compliance support for your company
Handling data access requests is no longer optional—it’s a legal must-have for any company managing personal data, especially in sectors like healthtech and fintech. While the process can seem overwhelming, a well-documented playbook, smart tooling, and basic training go a long way in creating a reliable, repeatable SAR process.
You don’t need a full legal department to stay compliant. You need a clear workflow, trained team members, and access to expert-reviewed deliverables when you need them. Legal Nodes can help bridge that gap with modular privacy solutions that scale with your business.
Commonly asked questions on SARs
How do I respond to a GDPR data request?
Acknowledge the request within days, confirm the identity of the data subject, and provide the requested data within one month. Include details like data categories, processing purposes, retention periods, and third-party sharing. Use templates and a tracking log to manage your workflow. Speak to the Legal Nodes team for more support with how best to respond to a SAR.
How to comply with a GDPR request
Start by identifying the personal data you hold, then prepare a complete response including the data and contextual information. Make sure to redact unrelated data, respond within one month, and document the process for auditing purposes.
How do you handle GDPR data?
GDPR data must be collected lawfully, stored securely, and processed transparently. Access, correction, and deletion rights must be honored promptly. Use data maps, audit trails, and privacy controls to manage personal data responsibly. To set up proper GDPR data handling processes, get help from Legal Nodes.
Can a company refuse a data access request?
Yes, but only under limited circumstances, such as when the request is manifestly unfounded or excessive. The company must justify the refusal and inform the data subject of their right to complain to a supervisory authority. For help with managing your data access requests, speak to the Legal Nodes privacy team today.
What is the difference between a DSAR and a SAR?
There is no practical difference—"SAR" stands for Subject Access Request, and "DSAR" is simply "Data Subject Access Request." Both refer to an individual requesting access to their personal data under GDPR. For help with DSARs and SARs, contact Legal Nodes.
Boost your business with GDPR compliance
