News Article

Subject Access Requests – how do they differ following GDPR?

Current Legislation

In section 7 of the Data Protection Act it outlines the right an individual has to see a copy of the information an organisation holds about them; this is commonly referred to as subject access. However; the right of access goes further than this. An individual who makes a written request and pays a fee is entitled to be:

  • told if any personal data is being processed
  • given details of the source of the data
  • given a description of the personal data
  • given a description of the reasons it is being processed
  • given a copy of the of the information held

A subject access request must be responded to within 40 calendar days of receiving it.

The Change

Under GDPR individuals have the right to obtain:

  • confirmation that their data is being processed
  • access to their personal data
  • access to other supplementary information

The rights an individual has to an access request are similar to the rights under GDPR.
One of the most significant changes is the removal of the £10 subject access fee. Organisations now must provide a copy of the information free of charge. However; you can charge a ‘reasonable fee’ when a request is excessive or repetitive. A fee can also be added when a request is submitted for further copies of the same information.

Organisations will also have less time to comply with a subject access request under the GDPR. Information must be provided within one month of receipt.

In Summary

Whilst a lot of the rights an individual has are very similar. Highlighted above are two of the most significant changes; organisations will now have less time to comply and must now provide a copy of the information free of charge.