A policy is a statement of management’s intent, and is usually supported by a more detailed procedure or protocol. It’s good practice to have a policy that covers your organisation’s approach to identify and responding to access requests from data subjects. The following is a suggestion towards compiling your own policy.
GDPR Subject Access Request Policy
Introduction (some call this the Policy Statement)
Explain how the GDPR gives individuals the right to be confirm with any organisation, whether that organisation processes any of the individual’s personal data; the right to be informed of specific information and the right to obtain copies of the personal data.
To whom does the policy apply?
All staff likely to come into contact with a subject access request
Relevant staff responsible for responding to a request
personal data; special category data; criminal data; objection; restriction; data portability; the right to be forgotten etc.
Duties and Responsibilities
Leadership – policy implementation and oversight
DPO and Data Protection Team – implementation, monitoring and review of the procedure
Staff – to be aware of and fulfil their responsibilities as appropriate
Does failure to adhere to the policy attract possible disciplinary action?
The manner of requests
Subject access requests can be made in writing, electronically or verbally.
Verifying the requestor’s identity
How do you verify identity? Security phone call? Email? Identification number? etc.
Provide a hi-level overview of the procedure – (the detailed procedure should be documented separately)
We have to respond to a subject access request within 30 days. If more time is needed to respond to complex requests, an extension of another two months is permissible, provided this is communicated to the data subject in a timely manner within 30 days – wherein we will inform the data subject as to the reasons why.
We will provide a copy of the information free of charge, as per the GDPR rules. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. We may also charge a reasonable fee to comply with requests for further copies of the same information.
Exempt information must be redacted from the released documents with an explanation of why that information is being withheld. e.g. personal data of third parties.
Where we do not take action on the request of the data subject, we shall inform the data subject without delay and, at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with our supervisory authority and seeking a judicial remedy.
When your policy was last reviewed and approved.