Subject Access Requests: could you get caught out?

How easy is it to get caught out by a subject access request?

Under GDPR, the ‘right of access’ means that individuals have the right to access their personal data and supplementary information. This right also allows them to be aware of and verify the lawfulness of the processing of their data.

Subject Access Requests, or SARs, as they will be referred to from now on in this article, are not new. But too many organisations that receive one, it will be a first time experience. And under GDPR, the rules are being changed, such that there are likely to be more SARs and complying with them will be more complex; you also have less time to comply and the fines, if you don’t meet the conditions, will be a lot more severe.

SARs have been around since the Data Protection Act of 1988, but under GDPR, changes are significant, namely:

Previously, organisations could charge £10 for dealing with a SARs. Now they must respond without charging the individual who made the request. Ten pounds is not a lot, but the psychological difference between £10 and free is huge. By making this change, regulators are emphasising that it is the public’s right to know what data organisations hold about them. Furthermore, under Article 57, the UK privacy regulator, the ICO, will have an obligation to promote GDPR, including the data subject rights.

Under the previous regulations, organisations had 40 days to respond to a SARs, under GDPR it is just 30 days.

Under GDPR a new regime of fines is being introduced.  Companies that do not comply with a SARs could be fined up to 4% of turnover.

Areas where you may be caught out:

Delay in receiving response

The clock starts ticking the moment the SAR is received by the organisation, not the moment the that individuals responsible for overseeing it receive it.  It is imperative that all staff are trained and made aware of who they should contact in the event of them receiving a request.

Delay in replying

It is no good working out what to do and how to respond to a SAR once received. It is imperative that well-rehearsed procedures are in place – you don’t decide what to do in the event of a fire once it happens – that is what fire drills are for.  It is vital, therefore, that procedures concerning what to do, and what various staff members must do, in the event of a SAR are agreed and documented in advance and then communicated to staff.  As above, staff training is vital.

Not knowing where all the data is

Personal data can be stored in a myriad of different places, including removable storage devices and on the cloud. This is why regularly updated data audits are essential. Don’t wait until you have received a SAR before working out where all the data is stored.

Third parties

Some personal data may also be stored and processed by third parties such as cloud providers. Make sure you have agreements in place, ensuring third parties will also respond to a request furnishing you with the appropriate data in an appropriate time-frame.

Not realising a SAR has been made

Sometimes, communication with data subjects may be quite complex – such as a letter of complaint. In such circumstances, the subject access request itself may not stand out from the minutia of detail. Once again, the training of staff is essential to avoid this.

Don’t get caught out

The danger of getting caught out when a subject access request is made is very real. By training staff, auditing data including data held by third parties, and preparing a plan which you practise and communicate, you can minimise the risk.

Once 25th May hits, organisations will have to comply with the changes to SARs. To learn more about the current concerns and solutions of SARs one month after the implementation date, attend the GDPR Summit London. At the event, expert speakers will be looking at the new legislation post-deadline and will explore the compliance issues organisations may be experiencing. For more information, visit the website.


The inaugural Data Protection World Forum (DPWF) will be held on November 20th & 21st 2018 at the ExCeL London which will provide a broader focus across the data protection and privacy space amidst the progressive tightening of global data protection laws.

Ahead of the end of year event, DPWF has launched a series of intensive workshops.

Further information on the DPWF and workshop details are available at: https://www.dataprotectionworldforum.com/