Organisations must respond to a data protection request (also called subject access request) in a timely manner. Check what information you need to provide and the penalty for failing to comply.
RIGHT OF ACCESS: It falls under GDPR data protection law and it allows any individual to ask whether an organisation holds personal information about them.
Organisations must respond to a data protection request without delay (taking no longer than one (1) month to answer). Individuals have the right to access personal information being kept about them, such as:
Note: As a rule, responses to personal data requests must be free of charge. But, organisations may charge an administration fee for providing extra copies.
The information you need to give is specific when responding to a data protection request. Thus, the organisation would need to provide the individual with:
Note: In most cases, you should send a subject access request as a hard copy (e.g. a printout or a photocopy). But, receiving one by email means you can also answer it by email (providing the requester agrees to it).
The organisation must ensure the individual can understand the information given to them. An example might be explaining what certain codes mean if used by the company.
Any response to a data protection request should be:
Note: There are a raft of data protection regulations for business in United Kingdom. But, the laws do not force organisations to translate right of access information.
Failing to respond to a subject access request (or not giving the information requested) can result in a fine!
In some cases, an exemption means you may not need to give out all the personal information that you have on someone. As a rule, exemptions apply if it relates to another person or it contains legal advice.
The Information Commissioner's Office (ICO) upholds information rights in the public interest. You can get further details about the right of access for individuals on the ICO website.
How to Respond to a Data Protection Request in United Kingdom