5 Tips for Responding to Subject Access Requests

This article explains what rights members now have under the GDPR, and what responsibilities you, as an organisation, have with regard to them.

Members now have the legal right to request a copy of the personal data that you hold on them. They can request this verbally or in writing, via email or letter.

In addition to providing a copy of their personal data, you must also also provide the following information:

  • Why you collect this data (there needs to be a valid reason)
  • How long this data stored for
  • Where this data is stored
  • Who has access to this data (this includes members of staff, volunteers, and any third parties)

Note: this may be already be detailed in your privacy policy.

Top Tips:

1. Have a policy for recording verbal access requests
Written requests are easier to record due to the timestamp on them, but as verbal requests do not, it is sensible to have a record of these verbal requests, and when they occurred.

2. Make it clear to members how they can request their information
This can be as simple as a couple of sentences on your website “If you wish to make a subject access request, please contact info @organisationname.com
You could also link to your privacy policy if you have one, where this information will be.

3. Have an internal process for responding to subject access requests
I recommend having an internal process for responding to subject access requests.  Perhaps create a template form that can be used for responding to requests, and have a clear process written up, that outlines what information is to be provided, and whose responsibility it is.

4. Document the process
It is good practice to document the process and have a paper trail of all subject access requests you respond to, in case you are ever queried over whether you have complied with the GDPR during the process.

5. Make sure you comply with deadlines
You should respond without undue delay to subject access requests.  The legal deadline is one month after the request was submitted, counting the first day as the day after receiving the request.

Example: if the subject access request is received on 7th June, then the deadline for responding to the request will be 8th July.


Can we charge for subject access requests ?
In principle, no, however if the individual requests extra copies of their information, then it may be reasonable to charge a small administration fee for this.

What rights do children have?
Children have the same rights as adults over their personal data.  The age of consent for personal data to be used varies between EU member states (e.g. 13 in the UK and Belgium)

Can a parent request a subject access request on their child?
Only if the child has authorised it, or it is deemed in the best interests of the child.  There are no strict laws, except that the best interests of the child must be taken into consideration, as well as their level of maturity and understanding.

Can I refuse subject access requests?
It is possible to refuse a subject access request, but there must be proof that the claim is manifestly unfounded, i.e. obviously not a genuine request, but e.g. repeated requests with the sole purpose of harassing an organisation.  It is best to seek legal advice in such a case.