How to respond to a subject access request

by Rhien Salgado-Jones on 13th September 2018

The content of this blog is provided for information purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to your organisation. 

  1. Analyse the request

The first step to analysing your request correctly is very important. The main steps are:


2. Can the request be met?

If the request that has been made cannot be met at first, you should try to gather some more information from the subject. You may need more details such as information to confirm their identity, or a specific scope for the data they are requesting. Communicating with the subject throughout the process can make it easier and faster for you and them.

3. Can you disclose third parties?

If you have already analysed the request, you most likely have completed a third party risk assessment, at this stage you should act on the result. If you cannot disclose the third party, you should notify the subject so that they are aware any response given with exclude personal data that is not their own. If you can disclose the third party, you should still discuss this with the third party so they are aware.

4. Deliver the response

When delivering the response, it is important to remember that you are transferring personal data – this should be treated with good security practices. We suggest using encrypted files to deliver the response. Whatever method you choose to deliver the data, think about whether this format is a commonly used electronic format, unless requested otherwise.

5. Log it

In the Analysing a GDPR Data Request blog post we spoke about logging any requests you receive, it’s just as important to keep the logs up to date as it is having them. Note details of actions taken, exemptions and dates. This may be useful should the subject need to refer to their request in future.

How we can help you

We work with many clients on projects relating to GDPR compliance. There’s an overview of the different ways we can help you and the various GDPR-related resources we have available hereGet in touch if you’d like to talk more about how we might help you.