How to write a GDPR-compliant subject access request procedure

Since the EU General Data Protection Regulation (GDPR) is in effect, EU residents have the ‘right of access’ to their data. If your organization collects or uses their data, they can request:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Supplementary information (mostly the information you should provide in your privacy notice)

What is a subject access request (SAR)?

Quite simply, it is any request from an individual pertaining to data about themselves. A request does not have to include the phrase ‘subject access request’ or mention the GDPR at all. Personal data requests can be made in any form, including through email, phone call, web contact forms, or social media. If the individual is asking for their own personal data, you will need to begin the steps of your SAR procedure. If the request comes from someone asking on behalf of someone else, e.g. a solicitor asking for a client, it is the requester’s responsibility to provide evidence they are entitled to ask for such data.

How to respond to a subject access request

First, make sure the request is valid. Take reasonable steps to verify the data subject’s identity (Recital 64). If you need more information in order to verify identity or comply with the request, let them know as soon as possible. The period for responding to the request begins as soon as you receive the additional information. “Where you process a large quantity of information about an individual, the GDPR permits you to ask the individual to specify the information the request relates to.” (Recital 63).

You need to find the necessary data: data mapping can help you easily access the data you need. You cannot amend or delete data unless it is data that would routinely be updated between the time of request and time of response. If the data requested would mean disclosing information about another individual, the UK’s Data Protection Act 2018 has some good advice.

In what format does an SAR need to be made?

If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise. Under Recital 63, the GDPR also recommends that, where possible, “the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data”.

Information must be provided without delay and within one month

Where requests are complex or numerous, organizations are permitted to extend the deadline to three months. However, they must still respond to the SAR within a month to explain why the extension is necessary.

In most circumstances, the information requested must be provided free of charge

Organizations are permitted to charge a “reasonable fee” when a request is manifestly unfounded, excessive, or repetitive. This fee must be based on the administrative cost of providing the information. Unfounded, excessive, or repetitive requests can be refused; if an organization does this, it must explain to the individual why it is refusing to comply, and inform them of their right to appeal to the organization’s supervisory authority.

Help creating an SAR procedure

Your organization should create an SAR procedure so that you can efficiently handle requests. Below is an example of a customizable SAR procedure, from the market-leading EU GDPR Documentation Toolkit.

Extract of the SAR procedure included in our EU GDPR Documentation Toolkit

Extract of the SAR procedure included in our EU GDPR Documentation Toolkit along with author comments with details on how to complete it

The EU GDPR Documentation Toolkit was designed and developed by expert GDPR practitioners, and has been used by thousands of organizations worldwide. It includes:

  • A complete set of easy-to-use and customizable documentation templates, which will save you time and money, and ensure GDPR compliance
  • Helpful dashboards and project tools to ensure complete GDPR coverage
  • Direction and guidance from expert GDPR practitioners
  • Two licenses for the GDPR Staff Awareness E-learning Course
find out more