One of the powers bestowed on data subjects by data protection regulation is the power to request information about the personal data that is held by a company or authority.  It is the power to make subject access requests. This is one of the most powerful tools given to individuals who share their personal data with banks, insurers, medical practitioners, schools, public authorities, shops and a huge variety of other companies. It is the power of regulation gifted to the individual. It is a hugely potent tool. Any company or public authority who collects personal data have an obligation to give data subjects full access to that data, for no reason other than the individual making the request. For business, this is one area where taking a proactive approach to data protection will payback. Designing the ability to handle access requests, restrictions, rectification and erasure of personal data is essential for all data-intensive businesses. And highly recommended for all business. This is one of the key costs of collecting personal data. It is only by preparing for these potential costs upfront that a data controller can hope to keep this cost under control. If you are going to collect personal data be aware of the rights of data subjects and ensure your systems can handle requests from data subjects to exercise their rights. Make that assessment upfront. Before you collect one item of data ask yourself will you be able to provide that data back to a data subject without incurring undue cost or disruption to your business.

Changes to subject access requests under GDPR

GDPR is making some changes that impact subject access requests. The changes appear to be driven by two factors – one the desire to harmonise practices across the EU and two to improve the level of transparency for data subjects. The changes are administrative mainly and for most companies will simply require a review and revision of existing processes to ensure they can comply with the new time-frames and implement some relatively simple changes to how responses are structured. Some companies may find the reduction of the time allowed for responding to subject access requests from 40 days to one month to be challenging though I doubt that there is any company who will feel the financial loss of the €6.35 fee levied in Ireland. There are some stronger provisions for controllers who have to deal with “nuisance” access requests, which can be quite disruptive to a business when they occur but the burden of proof is on the controller to demonstrate that a request is excessive or unfounded.  

GDPR Subject Access Requests – quick reference

I’ve included a handy reference to subject access requests under GDPR that will be useful to any business. There is one small disclaimer. Feel free to use this as a reference but if you are dealing with complex requests and you need to exempt data or refer to the special provisions do consult a qualified data protection practitioner for advice.

Reference 1: GDPR Subject Access Requests Quick Reference

GDPR Subject Access Requests Quick Reference

GDPR Subject Access Requests Quick Reference

Reference 2: GDPR Subject Access Requests – Content of Response

GDPR Subject Access Requests – Content of Response

GDPR Subject Access Requests – Content of Response

Reference 3: GDPR Subject Access Requests – Exemptions

Reference 4: GDPR Subject Access Requests – Special Provisions

Like what you've just read? Give us a bualadh bos (that's Irish for clap!) and let us know! 👏👏👏
Marie Murphy
Co-Founder & Operations Director

Marie's interest is in data protection operations focusing on people and process to manage personal data processing risk in large and small organisations with a special interest in privacy by design.