How to respond to a subject access request
The content of this blog is provided for information purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to your organisation.
- Analyse the request
The first step to analysing your request correctly is very important. The main steps are:
- Recognise you have a request
- Identify your subject
- Is the request unfound or excessive?
- Notify the employees involved
- Send receipt of the request to the subject
- Identify the information held
- Complete an impact assessment on third parties
- Consider any exemptions
- Review the data
- Consider the specifics
- You can find details on all of these steps in my previous blog about analysing GDPR requests.
2. Can the request be met?
If the request that has been made cannot be met at first, you should try to gather some more information from the subject. You may need more details such as information to confirm their identity, or a specific scope for the data they are requesting. Communicating with the subject throughout the process can make it easier and faster for you and them.
3. Can you disclose third parties?
If you have already analysed the request, you most likely have completed a third party risk assessment, at this stage you should act on the result. If you cannot disclose the third party, you should notify the subject so that they are aware any response given with exclude personal data that is not their own. If you can disclose the third party, you should still discuss this with the third party so they are aware.
4. Deliver the response
When delivering the response, it is important to remember that you are transferring personal data – this should be treated with good security practices. We suggest using encrypted files to deliver the response. Whatever method you choose to deliver the data, think about whether this format is a commonly used electronic format, unless requested otherwise.
5. Log it
In the Analysing a GDPR Data Request blog post we spoke about logging any requests you receive, it’s just as important to keep the logs up to date as it is having them. Note details of actions taken, exemptions and dates. This may be useful should the subject need to refer to their request in future.
How we can help you
We work with many clients on projects relating to GDPR compliance. There’s an overview of the different ways we can help you and the various GDPR-related resources we have available here. Get in touch if you’d like to talk more about how we might help you.