• ISO55001 Asset Management
    System (AMS)
  • ISO9001 Quality Management
    Systems (QMS)
  • ISO14001 Environmental Management
    Systems (EMS)
  • ISO50001 Energy Management
    Systems (EnMS)
  • ISO45001 Health & Safety Management
    Systems (OHASMS)
  • ISO27001 Information security
    management systems (ISMS)

How Will the Rules for Subject Access Requests (SARs) Change Under the GDPR?

08 Dec 2017

The rules for making a subject access request (SAR) under the GDPR will be similar to the Data Protection Act 1998. However, there are key differences.   With less than six months until the GDPR comes into force, it’s time to make sure you can meet new requirements to be legally compliant.

What is a subject access request (SAR)?

A SAR is the right of an individual to request any personal data you hold about them. The reason that the GDPR and the Data Protection Act 1998 (DPA) provide this right is so individuals can verify that their personal data is being processed lawfully.  SARs must be made in writing. Individuals can ask:

  • why their data is being processed
  • what categories of personal data are held about them
  • who has received or will receive their personal data
  • where the data came from if they did not give it to you.

How will GDPR changes to subject access requests affect my organisation?


At the moment you can charge an administration fee for SARs. Under the GDPR you cannot charge unless the subject access request is ‘manifestly unfounded or excessive’.  However, you will have to be able to prove that the request is ‘manifestly unfounded or excessive’.  As the guidance isn’t specific, that’s difficult.  The GDPR states that you can charge a ‘reasonable fee’ for multiple requests – again the guidance isn’t specific, so approach with caution.

Response Time

The GDPR allows you just one month to respond to subject access requests instead of forty days under the DPA. This deadline can be extended by a further two months for a complicated or large request.  The data subject must be notified of any deadline extension within one month of receipt of the SAR and they must be given an explanation of the decision.  You will need to make sure that your organisation has procedures in place to cope with this reduced timescale.

Electronic Access

If an individual makes a SAR electronically then you must provide information in a commonly-used electronic format unless they request otherwise.   Before sending out electronic information you must verify the individual’s identity.  As you only have one month to respond to SARs you need to make sure that if requests are emailed to a particular staff member, then these are actioned when that staff member is absent.

Content of Response

When you respond to SARs you should tell the individual what personal information is held about them, the purpose for which it is held and what processing is being carried out. You might also need to provide additional information such as your data retention period.

Right to Withhold

The GDPR and current DPA hold the same position here. Under the DPA organisations can withhold information if it regards the prevention, detection or investigation of a crime; national security or the armed forces; the assessment or collection of tax; and judicial or ministerial appointments.  The GDPR states that personal data can be withheld if it would ‘adversely affect the rights and freedoms of others’.  In future our government may introduce further exemptions to SARs relating to public security, so we will have to watch this space.

How can my organisation prepare for changes to SARs?

  • Create a subject access request template. That way, individuals will always provide the information you need to respond consistently and efficiently to SARs.
  • Write and implement policies and procedures for handling SARs, making sure that the new shorter response times are incorporated.
  • Make sure that your staff are trained to handle SARs so that they can identify them when they come in and respond correctly.

Final point: The key change most likely to affect your organisation is reduced response time.  As the GDPR only allows you one month to respond to subject access requests you might consider implementing a ‘data subject access portal’.  This will enable individuals to access their personal data promptly, remotely and easily ensuring that subject access requests are GDPR compliant.

How can NDC help?

Working in partnership with IT and cyber security specialists at Soitron UK, our information security lead auditors can:

  • design a subject access request template that meets GDPR requirements and works in practice within your organisation
  • design policies and procedures that handle SARs in line with GDPR requirements, including meeting the shorter response times
  • train your staff to identify and handle SARs swiftly and correctly
  • develop your IT systems to facilitate SARs processing and all other GDPR requirements.
ISO 50001 audit tool
© Copyright All Rights Reserved, NDC Certification Services Ltd. 2021