Subject Access Requests

Where to start

In comparison with the urgency of a breach, you may feel that dealing with subject access requests is relatively relaxed. You’ll find that the amount of work involved in fulfilling a request can be daunting.

The title “Subject Access Requests” is a little misleading. There are many other requests a data subject can make, but they start with knowing that an organisation holds data about you (sometimes called the Right to be Informed). Because it’s the title that most people are aware of, we’ll stick with Subject Access Requests for now. You’ll see that the process of dealing with any requests is much the same, irrespective of the content of the actual request.

Responding to subject access requests illustrates the benefits of comprehensive data mapping and also ensuring that you keep personal data restricted to that which is strictly necessary. When you’re facing the task of redacting hundreds of pages of emails, you’ll wish that you paid more attention to housekeeping.

Having a clear process is the basis of successfully dealing with subject access requests. Have your process easy to find and make sure that the people who are likely to deal with requests have the chance to practice.