man hand holding privacy settings smartphone. All screen graphics are made up.
How to deal with a subject access request under GDPR
What is a subject access request or data access request under the General Data Protection Regulation (GDPR)? How would you respond if someone asked you to access, change or erase their information? The right to access the information held on you
Every person has a right of access to the information you hold on them - it is, after all, their data. If an individual makes a data access request (also known as a subject access request) you are obliged to provide them with all the information you hold on them. The exception to this is in very special cases, like if it breaches the privacy of another person. Let’s be clear though, this doesn’t mean you can withhold information that could be used for a claim.
If an employee asks to see all their records, you are likely to have to provide them all (notes, emails, letters, everything) unless you can demonstrate a clear reason not to. Even deleting the information might cause more problems than it solves - deleting it when you shouldn’t is also a data breach!
How long do I have to respond to subject access requests?
Under GDPR, you have a month to respond to any request. In that time, you should make sure you have positively confirmed the request is genuinely from the person who made the request, then respond. If they’re requesting data, then collate and send the information (you might need to ‘redact’ or blank out certain bits that affect the privacy of others). Remember that you have to include any information that your data processors are also storing about that person.
For requests to erase or amend information it’s pretty similar. You have a month to respond - which is why it’s important to have a good understanding of where all your organisation’s personal data is being stored and have contracts in place that require data processors to respond promptly.
GDPR subject access request template
Astrid provides a training module for staff, with individual videos and questions addressing the key aspects of data protection and GDPR including subject access requests.
We know it can be hard to train staff in the detailed requirements of data requests so we also provide a special subject access request template form that guides you through the right process and keeps a record of the decisions you’ve made and responses you provide to requests. Subscribe to Astrid today and receive all the guidance you need to protect personal data and become GDPR compliant.
Protect your business - become and remain GDPR compliant with Astrid
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.