How to write a GDPR-compliant data subject access request procedure

In the lead up to May, it is important your organisation prioritises steps to prove that you are making an effort to comply with the EU General Data Protection Regulation (GDPR). One activity that you should start without delay is writing a data subject access request (DSAR) procedure.

What is a data subject access request?

The GDPR introduces the ‘right of access’ for individuals and from 25 May, the compliance deadline, data subjects will have the right to request:

  • Confirmation that their data is being processed;
  • Access to their personal data; and
  • Other supplementary information (mostly the information provided in your privacy notice).

Recital 63 of the GDPR states, “a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”

Data subject access request procedures under the GDPR

The procedure for making and responding to subject access requests remains similar to most current data protection laws, but there are some key changes you should be aware of under the GDPR:

  1. In most circumstances, the information requested must be provided free of charge.

Organisations are permitted to charge a “reasonable fee” when a request is manifestly unfounded, excessive or repetitive. This fee must be based on the administrative cost of providing the information.

  1. Information must be provided without delay and within a month.

Where requests are complex or numerous, organisations are permitted to extend the deadline to three months. However, they must still respond to the request within a month to explain why the extension is necessary.

  1. Data subjects must be able to make requests electronically as well as physically.

Data subject access requests can now be made in any form, including through email, phone call or web contact forms.

The ICO states, “where you process a large quantity of information about an individual, the GDPR permits you to ask the individual to specify the information the request relates to (Recital 63).”

Under Recital 63, the GDPR also recommends that, where possible, “the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.”

Help creating a data subject access request procedure

Your organisation should create a data subject access request procedure as a priority so that you are ready to handle any requests that come through once the Regulation is enforced.

Below is an example of a customisable data subject access request procedure, from the market-leading EU GDPR Documentation Toolkit.

Example of the data subject access request procedure included in the EU GDPR Documentation Toolkit along with author comments with details on how to complete

Example of the data subject access request procedure included in the EU GDPR Documentation Toolkit along with author comments with details on how to complete


The EU GDPR Documentation Toolkit is designed and developed by expert GDPR practitioners, and has been used by thousands of organisations worldwide. It includes:

  • A complete set of easy-to-use and customisable documentation templates, which will save you time and money and ensure GDPR compliance;
  • Helpful dashboards and project tools to ensure complete GDPR coverage;
  • Direction and guidance from expert GDPR practitioners; and
  • Two licences for the GDPR Staff Awareness E-learning Course.

Take a free trial to see how the documentation templates and tools can help you with your compliance project >>

Take a free GDPR Documentation Toolkit trial to accelerate your GDPR compliance route




  1. Klementine 26th March 2018
    • Chloe Biscoe 26th March 2018