How to handle a Subject Access Request

Share on facebook
Share on twitter
Share on linkedin
Share on email

How to handle a Subject Access Request

An essential guide for business


  • Under the GDPR regulation, Individuals have the right to ask you to tell them what personal information you are holding, including what, why, who (can access) and how long you’re holding it for. This known often know as a Subject Access Request or SAR.
  • You have one month to respond to a Subject Access Request.
  • You cannot charge a fee to deal with a request in most circumstances (but there are exceptions).
  • People can ask verbally or in writing, either is good.
  • You can response in whatever format you want, GDPR recommends self service (for larger firms).
You need to respond carefully and within one month, or you risk a complaint to your government and a GDPR fine (which as you must know by now is up to 4% of turnover!)

What is personal information

Any Information that: identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household. It could be in any format, video, image & audio data counts.
Here’s some examples:General business data – Date of Birth, NI Number, Email address, phone number, address, bank details, employment contracts, Wage details, References, Assessments, Evaluations, Training details, Grades, Holiday details, biometrics, information on family, Photos, Browser cookies, Location data, opinions, IP addresses (often stored in log files).Health data – Sick days, doctors notes, medical history, fitness data.

You need to tell them

  • The personal data (about them) that you have (you’re processing this info in GDPR speak).
  • Why you have it (the purpose).
  • The categories of data.
  • The recipients (who can access it. If the data is sent out of the EEA you also have to explain how its protected).
  • How long you’re keeping it.
  • Reminder of their rights (including right to erasure, forget, and complain to government).
  • Where the data was sourced from (if it was not direct from the individual).
  • Any automated decision making or profiling that takes place.

Here’s a good process for handling Subject Access Requests

Before you start, do you have the right expertise in house? If not in-house, speak with your HR firm, or look to contract in a Data Protection Officer.
  1. Verify Identity (make sure it’s the right person and not a hacker!). Use data you already have, maybe a known email, phone number or address, or a question they will know. Asking for passport or ID documents here could be seen as too much.
  2. Get the data
  3. Redact the data if needed (to protect any other peoples personal data) – this means blacking out any names or details you cannot share, for example from a reference.
  4. Package data – (we think PDF is a good format).
  5. Add the details – see above ‘You need to tell them’.
  6. Provide the data – securely! We would recommend our free to use, or a password protected PDF. If you send the data just by plain email, you’re risking a data breach!

Further reading