GDPR: How to respond to subject access requests

The changes and additions to individuals’ rights under the EU General Data Protection Regulation (GDPR) will have far-reaching consequences for affected companies. This blog focuses on subject access requests, which give individuals the right to obtain:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Other supplementary information (mostly the information provided in privacy notices).

The procedure for making and responding to subject access requests remains similar to most current data protection laws, but the GDPR introduces some changes. For instance:


Information must be provided for free

In most circumstances, organisations must provide subjects with a copy of the information they request free of charge. However, they are permitted to charge a “reasonable fee” when a request is manifestly unfounded, excessive or repetitive.

The fee must be based on the administrative cost of providing the information.

An alternative solution for excessive, unfounded or repetitive requests is to refuse to comply. Organisations that do this must explain to the individual why they’re refusing to comply, and let them know of their right to appeal to the organisation’s supervisory authority.


You have one month to respond

The Regulation states that that information must be provided without delay and within at least one month of receiving the request.

Where requests are complex or numerous, organisations will be able to extend the deadline for providing the information to three months. However, they must still respond to the request within a month, explaining why the extension is necessary.


Electronic requests must be available

Organisations must provide data subjects with the option of making requests electronically (e.g. by email) as well as physically. Where a request is made electronically, the information must be provided in a commonly used file format.

Recital 63 of the Regulation states that data controllers should, where possible, provide “remote access to a secure system which would provide the data subject with direct access to his or her personal data”.

How should you prepare?

The changes to the rules regarding subject access requests mean that organisations will have to deal with requests more quickly and provide individuals with additional information. This, along with the fact that in most instances information must now be provided for free, means that organisations must dedicate more resources to responding to subject access requests.

For them to do this, organisations will need employees who are aware of the Regulation and the rights and responsibilities it mandates. You can fill that gap by gaining a GDPR qualification. Whether you already work in data protection or are looking to enter the field, a qualification can show that you have essential knowledge of data protection laws and make you stand out to existing or prospective employers.

IT Governance offers a pair of GDPR training courses catered to your level of knowledge. You may be interested in:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.