Want to watch this video? Sign up for the course here. Or enter your email below to watch one free video.

Unlock This Video Now for FREE

This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.



Guidelines for Handling Subject Access Requests (SARs) under GDPR

Verification of Identity

Essential Checks: Verify the identity of the requester to avoid data breaches.

Known Customers: If the requester is a known customer, additional proof may not be required.

Third-Party Requests: Requesters acting on behalf of others must provide legal proof of entitlement.

Refusal Protocol

Reasons for Refusal: Only refuse requests if they are manifestly unfounded or excessive.

Consultation: Seek guidance from the Information Commissioner's Office before refusal.

Notification: If refusal occurs, inform the individual and provide avenues for appeal and complaint.

Information Provision

Data Disclosure: Provide all personal data held about the requester, including identifying information.

Comprehensive Details: Furnish information about your company, data processing purposes, retention periods, and lawful basis.

Delivery Methods

Ideal Approach: Utilize an online portal for secure and convenient access to data, recommended by the ICO.

Alternative Methods: If a portal is unavailable, provide data via email attachments or printed documents.

Format Preference: Honour format requests; respond in the requested format, be it printed or electronic.

Social Media Requests

Cautious Response: Responding via social media may risk data breaches; confirm identity and switch to email for secure communication.

Data of Third Parties

Consent Requirement: Obtain consent from third parties before disclosing their personal data.

Anonymization Option: Anonymize data if feasible; avoid disclosing identifiable information of third parties without consent.