The GDPR and ‘subject access requests’

Individuals have the right under the General Data Protection Regulation (GDPR) to ask for a copy of the information stored about them and also to have any inaccuracies within that information corrected.

Requests must be responded to within 30 days and the individual cannot be charged for making a request unless they are being made excessively by the same person.

When providing data to individuals information about the period of retention and when and how their data was collected should be supplied for everyone ‘subject access request’ that is received.

Electronic access

It must be possible to make subject access requests electronically, for example, using email.

Where a request is made electronically, the information should be provided in a commonly-used electronic form, unless otherwise requested by the individual.

Content of response

Responses need to inform the individual clearly and concisely in relation to what information is held about them and what processing is being carried out.

In responding to a request, data controllers may need to provide further information such as the relevant data retention period and the right to have inaccurate data corrected.

Time to respond

Data controllers must respond to subject access requests within a month, with a possibility to extend this period for particularly complex requests. This timescale is shorter than under the DPA where the response time is 40 days.

Right to withhold

Data controllers can withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others’. This is reflective of the current position under the DPA.

The recitals to the GDPR note that this could extend to intellectual property rights and trade secrets. Member States may introduce further examples such as legal privilege.

How will this impact upon your business?

Organisations will have to deal with requests more quickly, as well as providing additional information.

Individuals already have a right to access their personal data through a SAR. However, it will generally be free to make those requests and individuals will be entitled to receive the information in an electronic format.

If an organisation handles a large number of SARs, the impact of the changes could be considerable. Therefore, taking steps to organise the approach to SARs will help organisations to comply with the GDPR.

Next steps

  • Update your procedures and plan how you will handle SARs and provide any additional information within the new timescales
  • Develop template response letters to ensure that all elements of SAR responses are compliant with the GDPR
  • Assess your organisation’s ability to quickly isolate data pertaining to a specific individual and to provide data in compliance with the GDPR’s format obligations
  • Ensure that employees are trained to quickly recognise and respond appropriately to SARs
  • Give consideration to developing an online self-service solution allowing an individual to access their information easily online and minimising cost for the data controller dealing with the SAR


Ready to try Instiller out?

Take a free & unlimited 14 day trial of Instiller and discover
how our solution could work for your agency.

Free trial

There's no commitment and we don't ask for payment details.