GDPR Subject Access Request Procedure

Published on: 31st October 2018
By PYXI GDPR Team


Any UK organisation which processes (stores and uses) Personal Data may receive a Subject Access Request at any time. The ICO stipulates that the organisation must respond to the SAR without due delay and at the latest within one month of receipt. What should you do?

Here's our checklist...

GDPR Subject Access Request procedure

  1. Audit, Prepare and Plan
  2. Confirm and Acknowledge Receipt
  3. Undertake Data Discovery
  4. Prepare Response to the Subject
  5. Send and Document the Response to the Subject
  6. Check the SAR is Complete

Preparation Improves Performance - Get "SAR Ready"

All organisations have differences in the ways they process data; what they store, why they store it, where they store it and so on. We have developed specialist software to help you work out the best way for your organisation to respond to a SAR, even before it happens, based on YOUR ORGANISATION'S Personal Data usage.

Subject Access Request Process Management with PYXI for GDPR

Step 0 - Audit and Prepare BEFORE you receive a SAR

Using PYXI for GDPR to audit your organisation's use of Personal Data will help you to identify where a Data Subject's information is likely to be found, should she invoke a SAR. Understanding what has been stored on your digital devices and in offline storage, will increase the turnaround speed of your SAR response. You will be able to quickly identify where the data is, and save time on your data discovery when a SAR arrives.

Step 1 - Confirm and Acknowledge

Start by acknowledging the SAR. You may need to confirm the Subject's identity at this stage. (e.g. can you tell if it's this "John Smith" or that "John Smith"?)

Step 2 - Check your records - Undertake Data Discovery

Check your records to find if you have any data about that Subject in your data stores.

Step 3 - Prepare your response to the Subject

Check through the information you have about the Data Subject and work out the actions required to carry out the Request (e.g. remove or update data, remove from a mailing list, present a copy of the data held, etc.) Compile the records for sending in response to the SAR. For various reasons (particularly legal) you may need to redact some of the data you have about the Subject as part of the compilation process (e.g. references to other Data Subjects). If the SAR is a "right to be forgotten" request then some data may also be exempt from this action (e.g. financial transactions). Assess and collate the items to be shared in the response. It is recommended that the data is prepared in a digital format for sharing with Subject.

Step 4 - Send, and document, the response to the Data Subject

When you've compiled your response, set up a secure data transfer to send the completed response to the Data Subject. This could be achieved by using a secure and encrypted file server with a unique password that is accessed only by the Data Subject. Do not leave the file on the server for longer than necessary. Make sure you write up what you did.

Step 5 - Confirm that the SAR is Closed

Finally, check that the Subject is happy that the SAR has been fully addressed and that the case can be closed. Document their response and close the SAR case.

Software for SAR Management

PYXI for GDPR contains a simple and effective SAR Management system which takes you through all these steps and gives you confidence in and control of your SAR processing.

You can sign up to PYXI for GDPR for just £19+VAT per month by clicking here.

PYXI GDPR Team: 31st Oct 2018 08:57:00