Subject access request rule changes

Your firm and its business clients will soon have to amend the way you respond to subject access requests.

Currently, subject access requests are dealt with by the Data Protection Act 1998.

Subject access requests and the current DPA

This allows individuals to obtain a complete dossier of all personal information held on them by a company, including their employer. In addition, they have the right to know how the data is stored and under what circumstances the data is processed.

A company can charge the individual £10 for completing the request. The 40-day window in which you provide your response to the individual does not have to start until that £10 is received.

It is considered better to start the work required on the subject access request sooner rather than later because the task of providing the relevant information may be complicated by the following factors:

  • the density of data and the interconnected of databases in your firm may make a quick and clean extraction impossible
  • output from searches may contain sensitive information on other individuals which those individuals have a right of privacy over
  • there may be commercial and legal ramifications to previously confidentially stored knowledge falling into the hands of an employee, customer, or other individual who may have a grievance against your firm

If your client has been asked for a subject access request, they may need help on discerning the actual information that can be released under the normal rules of privilege and if the documentation created as result could be classed as legal advice or whether it may be used against your client if litigation is being contemplated.

The rules aren’t always simple to follow but solicitors’ firms and barristers’ chambers have had nearly 20 years to get used to them and there is a decent body of case law on this area now

Subject access requests and the GDPR

On the 25th May 2018, all of the DPA rules are swept away and replaced with the EU-inspired General Data Protection Regulation. Even with Brexit pencilled in for March 2019, GDPR will be the law in the UK for at least 10 months and probably for many years thereafter.

Much of the GDPR rulebook is essentially similar or identical to the previous DPA regime but there are a few important differences concerning subject access requests.

GDPR means that individuals making a subject access request will be entitled to:

  • confirm that their data is being processed
  • access to their personal data
  • supplementary information (that which should be provided in a privacy notice)

You may no longer charge a £10 fee for a subject access request and you must provide the information within one month of receipt of the request.

The legislation allows you to extend the deadline by up to two more months if the request being made is either complex or onerous. You must explain to the individual why there will be a delay in providing the information however the individual cannot refuse your request for the extension.

If your company is bombarded by requests from a particular person, you may charge a fee (from which you should not make a profit) for the associated administrative costs. Alternatively, you can refuse to respond informing them of the reason you are no longer responding and telling them they can appeal for a judicial remedy against your decision within one month of your refusal.

If an individual makes a request for a very large amount of data, GDPR gives you the right to ask that individual for specificity on the exact information they want to receive.

GDPR also recommends that, where possible, individuals should be given remote access to a self-service system where they can find out the information they want themselves. However, for companies with very large cross-referencing databases containing the details of other individuals, this may not be possible.


Subject access requests – getting ready for the new regime

In June 2017, our Business Manager, Angela McNaughton, mentioned subject access requests as one of the five things your practice or chambers needs to do to prepare for GDPR.

Contact us via email at to find out about Sprout IT can assist your organisation to get ready for GDPR with 6 months left until the deadline. Complete the form below or call 020 7036 8530.



The following two tabs change content below.

Anna Adamovics

Head of Marketing at Sprout IT