Handling Subject Access Requests Under GDPR

Article 15: Right of access by the data subject

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data…

See how simple it is with ISMS.online

What is a Subject Access Request?

A Subject Data Access Request (SAR), referred to in the GDPR as a right of access, entitles an individual the ability to view what information an organisation holds about them. This type of personal data and additional information that should be accessible includes the following scenarios.

‘the purposes of the processing’

What have you, or what do you intend to do with the data subject’s personal data? Is it for marketing purposes?


‘where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period’

How long do you intend to store this information? Do you keep personal data indefinitely or is it stored and then destroyed after a certain period of time?


‘the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing’

The data subject can request that the data stored is corrected in the event of an error.

So what are the basic requirements of an organisation when faced with a Subject Access Request?

According to the Information Commissioner‘s Office (ICO), one of the biggest changes the GDPR has brought in is the length of time an organisation has to respond to the SAR. The current Data Protection Act (DPA) makes 40 days available to you to comply. GDPR now gives you a month to gather the information and respond accordingly.

In certain circumstances, an organisation has the right to refuse the request on the grounds that it is ‘manifestly unfounded or excessive’. Refusing a request must not be done lightly. Practicing GDPR means that you need to explain your reasoning, as well as giving the data subject the right to complain and appeal. Again, this must be conducted within a month.

What makes a good Subject Access Request plan?

As with much of the GDPR, planning and preparation is key to a lifetime of living and breathing better data protection. Even small organisations could find themselves having to handle a number of Subject Access Request that can sometimes be time-consuming. This is why a practised SAR plan is essential to keeping your business moving.

Staff training and ownership

Identify the members of staff that will be managing the process of Subject Access Requests. Get them the right training and make sure they fully understand the processes that you have put into place. Make sure you document that training has taken place and what it involves. Then the next step would be to devise a method of assigning new requests to those individuals when they come into the business.

Privacy impact assessments

Undertake privacy impact screening and assessments, which is a way for organisations to identify and minimise privacy risks. They are a way of catching issues early on and maintaining the trust in your brand.

Find out just how affordable your ISMS could be

Integrate with an Information Security Management System

As we have said before, keeping track of all work and actions, including your planning and any mistakes or errors that occur, is an essential part of GDPR compliance. Integrating your GDPR work into a wider information security management system will make that much easier for you. Also, if you provide your staff with a clear work-flow to follow where they can keep track of their work, you are more likely to succeed.