Home Rules Business Sale of Goods Regulation › Respond to Subject Access Request
Responding to a Data Protection Request

Organisations must respond to a data protection request (also called subject access request) in a timely manner. Check what information you need to provide and the penalty for failing to comply.

RIGHT OF ACCESS: It falls under GDPR data protection law and it allows any individual to ask whether an organisation holds personal information about them.

Organisations must respond to a data protection request without delay (taking no longer than one (1) month to answer). Individuals have the right to access personal information being kept about them, such as:

  • What information the organisation is using.
  • Why they are storing and using it.
  • Where the personal details originated from.
  • Who else has access to the information.

Note: As a rule, responses to personal data requests must be free of charge. But, organisations may charge an administration fee for providing extra copies.


Providing Data to Individuals

The information you need to give is specific when responding to a data protection request. Thus, the organisation would need to provide the individual with:

  • Confirmation that they are processing their personal data.
  • A copy of the data (e.g. in electronic or printed format).
  • Details of how they collect the data, how they use it, and how they dispose of it.

Note: In most cases, you should send a subject access request as a hard copy (e.g. a printout or a photocopy). But, receiving one by email means you can also answer it by email (providing the requester agrees to it).


Explaining the Content of Information

The organisation must ensure the individual can understand the information given to them. An example might be explaining what certain codes mean if used by the company.

Any response to a data protection request should be:

  • Concise and transparent
  • Intelligible
  • In a format that is easily accessible
  • Written in clear and plain language (especially when giving answers about a child)

Note: There are a raft of data protection regulations for business in United Kingdom. But, the laws do not force organisations to translate right of access information.


Before Replying You Must:

  • Confirm the identity of the requester.
  • Remove any data that does not relate to them.

Note: to respond to a subject access request (or not giving the information requested) can result in a fine!


Data Protection Act Exemptions

In some cases, an exemption means you may not need to give out all the personal information that you have on someone. As a rule, exemptions apply if it relates to another person or it contains legal advice.


Further Help and Information

The Information Commissioner’s Office (ICO) upholds information rights in the public interest. You can get further details about the right of access for individuals on the ICO website.


How to Respond to a Data Protection Request in United Kingdom