How to respond to a data subject access request

A key change to data subjects’ rights under the EU General Data Protection Regulation (GDPR) is the right to ask organisations what data they hold about the data subject. Although this was possible under the Data Protection Act 1998, organisations now have only 30 days to respond, and cannot charge an admin fee for doing so.

What is a data subject access request (DSAR)?

Data subjects have the right to send organisations a personal data request for:

  • Confirmation that their data is being processed;
  • Access to their personal data; and
  • Other supplementary information (mostly the information provided in the organisation’s privacy notice).

Recital 63 of the GDPR states: “a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing”.

DSAR procedure under the GDPR

The procedure for making and responding to DSARs features some key changes under the GDPR:

  1. In most circumstances, the information requested must be provided free of charge.
  2. Information must be provided without delay and within a month.
  3. Data subjects must be able to make requests electronically as well as physically.

DSARs can now be made in any form, including through email, phone call or web contact forms.

The ICO states: “where you process a large quantity of information about an individual, the GDPR permits you to ask the individual to specify the information the request relates to (Recital 63)”.

Write a data subject access request procedure

To enable your organisation to respond correctly and efficiently to DSARs, you should write a procedure for staff members to follow when they receive such a request.

We recommend it includes the following steps:

  • Once received, forward any DSARs to the data protection officer or whoever is dealing with DSARs.
  • Ask the data subject for proof of their identity.
  • Provide the information requested within one month of the initial request.
  • Maintain a record of received requests and notes entailing details of the request, any concerns and when it was fulfilled.

Help creating a DSAR procedure

Your organisation should create a DSAR procedure as a priority so that you are ready to handle any requests that come through.

You can purchase templates for this and many other GDPR-related documents in the EU GDPR Documentation Toolkit. Designed and developed by expert GDPR practitioners, it has been used by thousands of organisations worldwide. The toolkit includes:

  • A complete set of easy-to-use and customisable documentation templates, which will save you time and money, and ensure GDPR compliance;
  • Helpful dashboards and project tools to ensure complete GDPR coverage;
  • Direction and guidance from expert GDPR practitioners; and
  • Two licences for the GDPR Staff Awareness E-learning Course.

Take a free trial to see how the documentation templates and tools can help you with your compliance project >>