Guide: GDPR Subject Access Request Policy

A policy is a statement of management’s intent, and is usually supported by a more detailed procedure or protocol. It’s good practice to have a policy that covers your organisation’s approach to identify and responding to access requests from data subjects. The following is a suggestion towards compiling your own policy.

GDPR Subject Access Request Policy

Introduction (some call this the Policy Statement)

Explain how the GDPR gives individuals the right to be confirm with any organisation, whether that organisation processes any of the individual’s personal data; the right to be informed of specific information and the right to obtain copies of the personal data.


To whom does the policy apply?

All staff likely to come into contact with a subject access request

Relevant staff responsible for responding to a request


personal data; special category data; criminal data; objection; restriction; data portability; the right to be forgotten etc.

Duties and Responsibilities

Leadership – policy implementation and oversight

DPO and Data Protection Team – implementation, monitoring and review of the procedure

Staff – to be aware of and fulfil their responsibilities as appropriate

Does failure to adhere to the policy attract possible disciplinary action?

The manner of requests

Subject access requests can be made in writing, electronically or verbally.

Verifying the requestor’s identity

How do you verify identity? Security phone call? Email? Identification number? etc.

Request response

Provide a hi-level overview of the procedure – (the detailed procedure should be documented separately)

Response time

We have to respond to a subject access request within 30 days. If more time is needed to respond to complex requests, an extension of another two months is permissible, provided this is communicated to the data subject in a timely manner within 30 days – wherein we will inform the data subject as to the reasons why.


We will provide a copy of the information free of charge, as per the GDPR rules. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. We may also charge a reasonable fee to comply with requests for further copies of the same information.


Exempt information must be redacted from the released documents with an explanation of why that information is being withheld. e.g. personal data of third parties.


Where we do not take action on the request of the data subject, we shall inform the data subject without delay and, at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with our supervisory authority and seeking a judicial remedy.

Policy review

When your policy was last reviewed and approved.

Russell is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.