Data Subject Access Request Policy and Procedure

This document has been updated for compatibility with the UK GDPR. It is ready for use from the start of 2021.

The UK GDPR incorporates a set of core rights for data subjects, among which is the ‘right of access’. Transparency is an important aspect of modern data protection legislation and the right of access plays a vital role in ensuring this transparency.

Individuals exercising the right of access have the right to find out what personal data an organisation holds about them, what that organisation is doing with the data, and why. They also have the right to obtain a copy of that personal data.

This is achieved by what is known as a ‘data subject access request’.

This Data Subject Access Request Policy and Procedure is designed to guide an organisation and its staff through the process of handling a subject access request (“SAR”). It clearly sets out which stages apply to all staff and which apply specifically to those authorised to handle SARs.

This document is designed to work alongside an existing Data Protection Policy. It is intended for use as an internal policy, not a customer-facing one. Your Privacy Notice (aka ‘Privacy Policy’) should do this. Alternatively, for explaining data subjects’ rights in more detail without making your Privacy Notice too unwieldy, a Data Subject Rights Policy is also available.

The policy begins by explaining how to spot a SAR – this is particularly important because there is no standard format and a request can be made orally or in writing. All staff should be on the lookout for requests from individuals that may in fact be SARs. SARs should then be passed on to the appropriate member of staff, for example, the Data Protection Officer (if the business has one).

From there, the policy addresses each step of handling the SAR including time limits (usually one month but extendable by a further two in limited circumstances), fees (not usually permitted), the information that should be provided to the individual making the request, refusing to respond, and exemptions to the right.

A particularly important part of the policy is designed to assist in the locating of information in response to a SAR. In some cases, particularly for smaller businesses, this may be simple. In others, however, particularly where an individual’s data may be spread across different filing systems, the information added to this part of the policy will prove useful in tracking it down to ensure a complete response. It is important, therefore, to ensure that this part of the template is completed with as much detail as is reasonably possible and within the time limit allowed. Extensions, as noted above, are permissible, but not in most normal cases.

Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.

This Data Subject Access Request Policy & Procedure contains the following parts: 
1. Introduction 
2. Definitions 
3. Data Protection Officer & Scope of Policy 
4. How to Recognise a Data Subject Access Request 
5. What to do When a SAR is Received 
6. Responding to a SAR Part 1: Identifying Data Subjects and Clarifying Requests 
7. Responding to a SAR Part 2: Fees 
8. Responding to a SAR Part 3: Time Limits 
9. Responding to a SAR Part 4: Information to be Provided 
10. Responding to a SAR Part 5: Locating Information 
11. Refusing to respond to a SAR 
12. Exemptions to the Right of Access 
13. [Erasure or Disposal of Personal Data] 
14. Failure to Comply with this Policy 
15. Policy Review 
16. Implementation of Policy

This template is in open format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.

Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.

Data Subject Access Request Policy and Procedure is part of Business Documents. Just £35.00 + VAT provides unlimited downloads from Business Documents for 1 year.