• About us
  • Pricing
  • Services
  • Partners
  • Resources
  • Contact
  • Login
  • Try for FREE
Can I make international transfers of personal data under GDPR?
October 4, 2018
Disposing of data storing IT and electrical equipment under GDPR
October 5, 2018
October 5, 2018

man hand holding privacy settings smartphone. All screen graphics are made up.

How to deal with a subject access request under GDPR

What is a subject access request or data access request under the General Data Protection Regulation (GDPR)? How would you respond if someone asked you to access, change or erase their information?

The right to access the information held on you

Every person has a right of access to the information you hold on them - it is, after all, their data. If an individual makes a data access request (also known as a subject access request) you are obliged to provide them with all the information you hold on them. The exception to this is in very special cases, like if it breaches the privacy of another person. Let’s be clear though, this doesn’t mean you can withhold information that could be used for a claim.

If an employee asks to see all their records, you are likely to have to provide them all (notes, emails, letters, everything) unless you can demonstrate a clear reason not to. Even deleting the information might cause more problems than it solves - deleting it when you shouldn’t is also a data breach!
holding privacy settings smartphone
How long do I have to respond to subject access requests?

Under GDPR, you have a month to respond to any request. In that time, you should make sure you have positively confirmed the request is genuinely from the person who made the request, then respond. If they’re requesting data, then collate and send the information (you might need to ‘redact’ or blank out certain bits that affect the privacy of others). Remember that you have to include any information that your data processors are also storing about that person.

For requests to erase or amend information it’s pretty similar. You have a month to respond - which is why it’s important to have a good understanding of where all your organisation’s personal data is being stored and have contracts in place that require data processors to respond promptly.

GDPR subject access request template

Astrid provides a training module for staff, with individual videos and questions addressing the key aspects of data protection and GDPR including subject access requests.

We know it can be hard to train staff in the detailed requirements of data requests so we also provide a special subject access request template form that guides you through the right process and keeps a record of the decisions you’ve made and responses you provide to requests. Subscribe to Astrid today and receive all the guidance you need to protect personal data and become GDPR compliant.


Protect your business - become and remain GDPR compliant with Astrid

 
Subscribe today
 
Share
Emma Oram
Emma Oram

Related posts

Will writers GDPR questions answered
February 15, 2019

Calling will writers… your GDPR questions answered


Read more

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Astrid Data Protection Ltd.

Faraday Wharf
Holt Street
Birmingham
B7 4BB

Useful links

  • Home
  • About us
  • Pricing
  • Services
  • Partners
  • Resources
  • Contact
  • Privacy notice
  • Cookie policy
Company number: 11166227 - ICO registration: A8242894 - © 2018 Astrid Data Protection Ltd.
Astrid Data Protection Ltd uses cookies on this website. By using this website you are agreeing to our use of cookies. To find out more read our cookie policy and privacy policy. Accept Read More
Privacy & Cookies Policy