Data Subject Access Request Guide

UK data protection legislation is made up of a number of instruments, most notably the Data Protection Act 2018 and the UK GDPR. The EU GDPR is retained in UK law (with minor amendments - in many cases contextual) by the European Union (Withdrawal) Act 2018 and now continues as the UK GDPR.

This document has been updated for compatibility with the UK GDPR. It is ready for use from the start of 2021.

The UK GDPR sets out a number of important rights for individuals or “data subjects”, one of which is the “right of access”. Those exercising the right of access by means of a “data subject access request”, often referred to simply as a “SAR”, have the right to find out what personal data an organisation holds about them, what it does with that personal data, and why. The individual is also entitled to a copy of their personal data.

A number of rules apply to SARs, particularly where time limits are concerned. It is important to remember that complying with an individual’s request to exercise one or more of their rights is not optional (subject to tightly limited exceptions). Establishing knowledge and understanding of data subject rights within your business is, therefore, essential.

These Subject Access Request Guidance Notes explain what a SAR is, how to recognise one (there is no prescribed format to which individuals must adhere), what to provide in response, how to provide the response, time limits, fees, situations in which you can ask for more information, requests made on others’ behalf, the role of data processors, and some limited exceptions.

In the current climate, where home working has increased significantly and business operations have been severely disrupted due to the COVID-19 pandemic, responding to SARs may be more challenging than normal. These Guidance Notes also address this important point.

These Subject Access Request Guidance Notes contain the following sections:
1. Introduction
2. What to Provide in Response to a SAR
3. How to Recognise a SAR
4. Providing Personal Data to Data Subjects
5. Time Limits
6. Fees
7. Requesting More Information
8. SARs Made on Another Person’s Behalf
9. When Data Includes Information About Others
10. Data Processors
11. Refusing to Comply with SARs
12. Conclusions

Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.