Do you know how to respond? What information to provide?

Many organisations and individuals ‘panic’ when it comes to dealing with Subject Access Requests. The most common mistakes are:

  • Failing to acknowledge the Subject Access Request;
  • Failing to respond in time;
  • Failing to provide relevant information;
  • Failing to adequately undertake identity checks;
  • Or, over-cautious with identity checks;
  • Indicating that a charge is payable;
  • Failing to ascertain that the request is a genuine SAR and not another issue / complaint etc.


No Subject Access Request is the same, they must all be treated individually and can often present multiple challenges within tight time constraints – as you only get 1 month to respond. It is also vital you verify that the individual submitting the Subject Access Request is who they say they are. The last thing you want is to inadvertently cause a data breach by sending personal information to the wrong person!

You can ask for information from the individual to prove they are who they say they are, but you must be reasonable in what you ask for. Individuals do not have to give you their reasons for submitting a Subject Access Request, however you are also allowed to ask them for further information to enable you to locate the information they’re looking for.

A Subject Access Request ‘Horror Story‘ from the I.C.O.

A GP practice received a Subject Access Request. The practice revealed confidential details about a patient to an estranged ex-partner because there were insufficient systems in place for staff to deal with subject access requests (SAR). The fallout in this case was a huge distress to the family, damage to the GP’ practice reputation and a £40,000 fine.

It’s easy to imagine how bad the person responsible for dealing with subject access requests at the practice must feel. And yet such a devastating data breach could so easily have been avoided. Subject access is a fundamental right of individuals under GDPR and the Data Protection Act, so whatever business you’re in, if you hold personal data, you will probably have to respond to a request at some point.

46% of all complaints made to the ICO were about SARs and the difficulties people face when trying to get hold of their personal information. It’s imperative, therefore, that you get it right.

We can help you with this, so contact us.

We offer an externally endorsed, certified, course in “Subject Access Requests – managing data subject rights”

We can bring our training to you, the benefits in doing this are:

  • Convenient – Programmes can be presented at the location of your choice, at a time that is suitable for all your participants. This also means less time out of the office!
  • Confidential – Your opportunity to openly discuss real issues in order to produce real and applicable solutions with our training team.
  • Tailored – Programmes designed to meet the specific requirements of your company or organisation.  We can design a programme for you and ensure the content is specific to your sector or needs
  • Team Work – Greater interaction and enhanced learning experience.
  • Cost Savings – The costs to your organisation are considerably less than sending a large number of participants to a course held in a hotel or conference centre.


We’re only a ‘click’, call or e-mail away so get in touch.