Handling data subject requests

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • Handling data subject requests
  • Identifying a data subject request
  • Initial steps
  • Identifying the person making the request
  • Time limits
  • Dealing with unfounded or excessive requests
  • Identifying the data that the request relates to
  • Identifying the data subject from the data held
  • Dealing with third-party data
  • Exemptions and exclusions
  • More...

Handling data subject requests

This document reflects the UK GDPR regime. References and links to the GDPR refer to the UK GDPR (Retained Regulation (EU) 2016/679) unless expressly stated otherwise.

Individuals have a number of rights in respect of their personal data under the UK General Data Protection Regulation (UK GDPR):

  1. a right of access

  2. rectification, erasure and restriction of processing

  3. a right of data portability

  4. a right to object to processing

  5. a right not to be subject to a decision based solely on automated processing, including profiling

A data subject can make a request to a data controller to exercise one or more of these rights at any time. They do not need to explain their reasons for making a request and there are strict time limits for complying. Responding to a data subject request can be onerous for a data controller and in most cases you cannot charge the data subject for complying with their request.

With this in mind, it is essential to put in place appropriate systems and controls to manage the process of handling data subject requests, to make the process as efficient as possible and minimise the risk of non-compliance. This Practice Note considers some common features of data subject requests, issues that can arise when handling a request and compliance strategies to best equip your organisation to manage any requests it

Related documents:

Popular documents