Dealing with GDPR subject access requests

By Lenore Rice

Businesses all across Europe breathed a collective sigh of relief when they managed to meet the 25th May 2018 deadline for compliance with the EU's General Data Protection Regulation (GDPR), but many failed to appreciate how quickly they would have to deal with subject access requests (SAR).

As part of the GDPR compliance requirements companies implemented a Data Protection Privacy Notice and circulated it to anyone who it held personal information in respect of, or made them aware how it could be accessed. That inevitably results in a large number of requests from individuals wanting to know the following:

  • What personal data is being held, processed and/or shared.
  • The purposes for which the personal data is held, processed and/or shared.
  • Who the personal data is being shared with.
  • The extent to which the personal data is being used for making automated decisions related to the individual, and the logic being used for that purpose.


SARs are becoming increasingly onerous, especially as businesses will often hold vast amounts of information in respect of its employees, former employees, customers etc.

There is a requirement to respond to the SAR within 30 calendar days in as clear and intelligible form as possible, enclosing copies of the personal data and any information about the sources of the data. The individual's reason for making the SAR is irrelevant, though the holder of the data may be able to refuse to provide information if they can show that would involve a disproportionate effort to find and retrieve the information. They would have to be able to point to specific challenges to finding, analysing and providing the data.

Mishandling of SARS is the number one data protection issue complained about by the public according to the Information Commissioner's Office (ICO). The ICO has the power to issue warnings, reprimands, to order compliance and to impose large fines if a data holder fails to meet the deadline or provide access to all the individual's data.

If you require legal advice from a solicitor specialising in Information Data Protection Law in Northern Ireland, including GDPR compliance, contact Wilson Nesbitt solicitors in Belfast or Bangor by clicking here.