Data Subject Access Request Guidance Notes
BS.DAT.SAR.GN.01
UK data protection legislation is made up of a number of instruments, most
notably the Data Protection Act 2018 and the UK GDPR. The EU GDPR is retained in UK law (with minor amendments - in many cases contextual) by the European Union (Withdrawal) Act 2018 and now continues as the UK GDPR.
This document has been updated for compatibility with the UK GDPR. It is ready for use from the start of 2021.
The UK GDPR sets out a number of important rights for individuals or “data
subjects”, one of which is the “right of access”. Those exercising the
right of access by means of a “data subject access request”, often referred
to simply as a “SAR”, have the right to find out what personal data an
organisation holds about them, what it does with that personal data, and
why. The individual is also entitled to a copy of their personal data.
A number of rules apply to SARs, particularly where time limits are
concerned. It is important to remember that complying with an individual’s
request to exercise one or more of their rights is not optional (subject to
tightly limited exceptions). Establishing knowledge and understanding of
data subject rights within your business is, therefore, essential.
These Subject Access Request Guidance Notes explain what a SAR is, how to
recognise one (there is no prescribed format to which individuals must
adhere), what to provide in response, how to provide the response, time
limits, fees, situations in which you can ask for more information,
requests made on others’ behalf, the role of data processors, and some
limited exceptions.
In the current climate, where home working has increased significantly and
business operations have been severely disrupted due to the COVID-19
pandemic, responding to SARs may be more challenging than normal. These
Guidance Notes also address this important point.
These Subject Access Request Guidance Notes contain the following sections:
1. Introduction
2. What to Provide in Response to a SAR
3. How to Recognise a SAR
4. Providing Personal Data to Data Subjects
5. Time Limits
6. Fees
7. Requesting More Information
8. SARs Made on Another Person’s Behalf
9. When Data Includes Information About Others
10. Data Processors
11. Refusing to Comply with SARs
12. Conclusions
Once you have purchased access to the appropriate document folder click on
the “Download Document” link below. You will be asked what you want to do
with the file. It is recommended that you save the document to a location
of your choice prior to viewing.