Data Subject Access Request Policy and Procedure
This document has been updated for compatibility with the UK GDPR. It is ready for use from the start of 2021.
The UK GDPR incorporates a set of core rights for data subjects, among which is the ‘right of access’. Transparency is an important aspect of modern data protection legislation and the right of access plays a vital role in ensuring this transparency.
Individuals exercising the right of access have the right to find out what personal data an organisation holds about them, what that organisation is doing with the data, and why. They also have the right to obtain a copy of that personal data.
This is achieved by what is known as a ‘data subject access request’.
This Data Subject Access Request Policy and Procedure is designed to guide an organisation and its staff through the process of handling a subject access request (“SAR”). It clearly sets out which stages apply to all staff and which apply specifically to those authorised to handle SARs.
The policy begins by explaining how to spot a SAR – this is particularly important because there is no standard format and a request can be made orally or in writing. All staff should be on the lookout for requests from individuals that may in fact be SARs. SARs should then be passed on to the appropriate member of staff, for example, the Data Protection Officer (if the business has one).
From there, the policy addresses each step of handling the SAR including time limits (usually one month but extendable by a further two in limited circumstances), fees (not usually permitted), the information that should be provided to the individual making the request, refusing to respond, and exemptions to the right.
A particularly important part of the policy is designed to assist in the locating of information in response to a SAR. In some cases, particularly for smaller businesses, this may be simple. In others, however, particularly where an individual’s data may be spread across different filing systems, the information added to this part of the policy will prove useful in tracking it down to ensure a complete response. It is important, therefore, to ensure that this part of the template is completed with as much detail as is reasonably possible and within the time limit allowed. Extensions, as noted above, are permissible, but not in most normal cases.
Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.
This Data Subject Access Request Policy & Procedure contains the following parts:
3. Data Protection Officer & Scope of Policy
4. How to Recognise a Data Subject Access Request
5. What to do When a SAR is Received
6. Responding to a SAR Part 1: Identifying Data Subjects and Clarifying Requests
7. Responding to a SAR Part 2: Fees
8. Responding to a SAR Part 3: Time Limits
9. Responding to a SAR Part 4: Information to be Provided
10. Responding to a SAR Part 5: Locating Information
11. Refusing to respond to a SAR
12. Exemptions to the Right of Access
13. [Erasure or Disposal of Personal Data]
14. Failure to Comply with this Policy
15. Policy Review
16. Implementation of Policy
This template is in open format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.
Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.