Subject access requests

Subject access requests

Excellent service and legal advice from the team specialising in subject access requests and data protection law delivering an amazing client experience for companies in the UK.

Under the GDPR, individuals have the right to make a request in writing and be told whether the data controller (or someone else on their behalf) is processing personal data relating to them.

If so, individuals have the right to be provided with, amongst other things, a description of:

  • the personal data
  • the purposes for which it is being processed
  • to whom it is disclosed

Data controllers are required to comply with the request promptly and in any event within 40 days of receipt of the request.

As individuals become more and more aware of this right, clients are coming under increasing pressure to deal with these requests in accordance with the Act.

Dealing with subject access requests can be a cumbersome, time consuming and a difficult task, particularly if the volume of personal data held by the organisation is extensive and/or if it is held in various formats, by various individuals and on various systems.

The Data Protection Act 2018 sets out certain exemptions which, where applied, mean personal data need not be disclosed, so more often than not the information gathered by the organisation as part of this process will then need to be reviewed in order to check which, if any, exemptions from disclosure apply.

Also, care must be taken to ensure that the subject access request is being made by the data subject themselves (or by someone else acting on appropriate authority) and to ensure that third party personal data is redacted and not released as part of the disclosure process.

Recent experience includes:

  • Helping a client handle a complicated subject access request involving multiple data subjects. This required a detailed and technical analysis of the definition of 'personal data' and applying it to large volumes of data, drafting correspondence to the individuals making the request and liaising with the ICO in order to bring the matter to a conclusion
  • Advising various clients in relation to the exemptions from disclosure provided for in the Act and applying those to large volumes of documents to compile a pack of papers for disclosure to the requester
  • Assisting various clients in managing this process in order to ensure that the request is complied with in accordance with the Act, and in particular the timeframe prescribed by the Act
  • Drafting tailored policies and procedures for publication and implementation by clients in order to ensure that subject access requests are dealt with consistently and effectively across the organisation and that employees are familiar with and recognise subject access requests
  • Delivering training to various clients with a view to increasing awareness of the requirements of the Act and, in particular, their obligations in relation to subject access requests