The GDPR: How to respond to subject access requests

The changes and additions to individuals’ rights under the EU General Data Protection Regulation (GDPR) will have far-reaching consequences. This blog focuses on subject access requests, which give individuals the right to obtain:

  • Confirmation that their data is being processed;
  • Access to their personal data; and
  • Other supplementary information (mostly the information provided in privacy notices).

The procedure for making and responding to subject access requests remains similar to most current data protection laws, but the GDPR introduces some changes. For instance:


1. You cannot charge a fee for providing information

In most circumstances, organisations will need to provide subjects with a copy of the information they request free of charge. However, organisations are permitted to charge a “reasonable fee” when a request is manifestly unfounded, excessive or repetitive.

This fee must be based on the administrative cost of providing the information.

Organisations can also refuse to grant excessive, unfounded or repetitive requests. If they do this, they must explain to the individual why they are refusing to comply, and inform them of their right to appeal to the organisation’s supervisory authority.


2. You have one month to respond

The Regulation states that organisations must provide the requested information without delay and within a month.

Where requests are complex or numerous, organisations are permitted to extend the deadline to three months. However, they must still respond to the request within a month and explain why the extension is necessary.


3. You must allow electronic requests

Data subjects must be given the option of making requests electronically (e.g. by email) as well as physically. Where a request is made electronically, the information must be provided in a commonly used file format.

Recital 63 of the Regulation states that data controllers should, where possible, provide “remote access to a secure system which would provide the data subject with direct access to her or her personal data”.


How should you prepare?

The changes to the rules regarding subject access requests mean that organisations will have to provide more information and respond quicker. Therefore, they need to be more organised in the way they store personal data, which means they will benefit from mapping their data.

Data flow mapping toolData maps help you track where the data you collect goes to. This can be tricky, but with our Data Flow Mapping Tool, you can simplify the process.

This tool helps you create consistent visual representations of the process, and you won’t have to use pen and paper or vector graphics. You can also generate version-controlled data flow reports that compile information from your data flow maps in an easy-to-read format.

Find out more about our Data Flow Mapping Tool >>


(A version of this blog was originally published on 31 July 2017.)


  1. jenn 16th January 2018
  2. hesam 30th January 2019
  3. hadi 30th January 2019
  4. alan m Dransfield 14th September 2019
  5. Neo 20th September 2020

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.