GDPR right of access: new guidance
Under the General Data Protection Regulation (GDPR), individuals have the right to a copy of the
personal data that your organisation holds about them. This is often known as a subject access request
(SAR). The Information Commissioner’s Office (ICO) has recently issued new guidance for businesses and
employers about how SARs should be dealt with.
Employers must respond to a SAR from a worker without delay, and within one month from receiving the
request. If it’s a complex issue, you might be able to extend this for up to two months. But if you
don’t respond within the right timeframe, or at all, there’s the possibility of fines or reprimand from
In the ICO’s own words: ‘The right of individuals to access information that organisations hold on them
is one that is vital for transparency and is enshrined in law. What we’re seeing now is that many
employers are misunderstanding the nature of subject access requests, or underestimating the importance
of responding to requests.’
Getting it right
In practice, though, what does compliance look like? It might sound straightforward, but reality
doesn’t always fit text-book scenarios.
To help your staff recognise a request, they need to know that SARs can be made in all sorts of ways:
there’s no formal procedure needed. Contact can be verbal, in writing – even via social media.
Questions as simple as ‘what information do you hold on me?’ or ‘can I have a copy of the notes from my
last appraisal?’ count as SARs and need an appropriate response. There’s no necessity even to use the
words ‘subject access request’ – it’s up to your organisation to identify that this is what is being
It's important, too, that staff know how to respond and who to pass the request to. A valid request can
be made by means of contact with any part of your organisation: it doesn’t have to be addressed to a
specific person. But the employer’s side of the equation is different, and the ICO does expect you to
have a designated person, team and email address to deal with SARs.
With more than 15,000 complaints in this area made to the ICO last year, it’s important that businesses
and employers get it right. Further details can be found on the ICO website.