Subject Access Requests

As with the DPA, under the GDPR data subjects have the right to make a subject access request and obtain:

  • confirmation that their personal data is being processed
  • access to their personal data
  • other supplementary information.

The subject access request rights under the GDPR are largely similar to the existing rights under the DPA. However, there are some differences:

 

Free of charge – Businesses can no longer charge a £10 fee for dealing with subject access requests and instead must provide a copy of the requested information free of charge unless the request is manifestly unfounded or excessive/repetitive in which case a reasonable fee (based on the administrative cost of providing the information) may be charged.

 

Timescale for complying – Under the GDPR the information must be provided without delay and at the latest within one month of receipt. This is reduced from 40 days under the DPA. However, businesses are able to extend the period for compliance by a further two months where the request is complex or there are numerous requests. In these circumstances the data subject must be informed of the reason for the extension within one month of receipt of the request.

 

Self-service – The GDPR introduces a new best practice recommendation that requires businesses, where possible, to provide individuals with remote access to a secure self-service system to enable those individuals to directly access their information.