What do I have to provide when I receive a subject access request?

Man taking notes whilst looking at laptop


With conflicting advice still available on the ICO website there seems to be a lot of confusion around exactly what a data subject is entitled to when they exercise their right of access under GDPR.

Many data subjects still seem to think that this right entitles them to receive a full copy of their file free of charge, when actually that will not be the case 99.9% of the time.

The Right to Be Informed

Individuals have the right to be informed about the collection and use of their personal data, including-

  • The purpose for processing the data and how you will process the data

  • The retention periods you will apply

  • Who you will share the data with.

You provide this information in your privacy notice which should be given at the point of collection and you will provide a link to the information on your website.

The Right of Access

Individuals have the right to access their data, and can make a ‘subject access request’ verbally, in writing or even via social media (don’t forget to check your tweets!).

You now have one calendar month instead of 40 days to respond to the request and you can no longer charge a fee.

The data subject is entitled to –

  • Confirmation that you are processing their data

  • A copy of their ‘personal data’ (we will come back to this in a minute!)

  • Other ‘supplementary’ information which is basically the information you provide in your privacy notice.

But what exactly does ‘a copy of the data’ mean?  You will be pleased to know that by and large this does not mean that they are entitled to a copy of the entire file of papers.  A ‘copy of the data’ is basically that, a list of the data fields that you process, which can identify the data subject (name, address, date of birth etc.).

Where it becomes slightly complicated is if it is possible to identify the data subject from the information you are processing then that information may also be personal data.  In a recent ICO live chat I was given the example of where you hold on file an email from an individual complaining about the data subject.  Whilst I did engage in a long debate with the representative about whether this would be appropriate for a law firm to disclose, or potentially for an employer to disclose where an investigation was being carried out for example, the conclusion from the ICO was that I would need to consider this type of document carefully and make a decision about whether there was a valid reason to withhold the document or not.

In situations where you are simply instructing a third party, for example a letter to an expert which sets out the name, address and contact details of the data subject, but is then just a business to business email giving instructions on work to be carried out, then a copy of this letter would not need to be provided.

General Points

  • Review the types of communications you will have on your files – if any of them ‘could’ fall within the definition of personal data then make sure your staff are aware to consider these and flag them to the DPO for confirmation of whether they need to be included in the response of not.

  • Data subjects can only be given a copy of their own data – an individual cannot request information on behalf of a partner for example.

  • If a data subject requests something specific, for example a copy of a specific email by date or a copy of a specific call recording then you should look to provide this.

  • You should ensure your staff are trained to recognise a request (remember social media!).

  • You should have a documented process and should keep a log of all requests.

  • The ICO’s Subject Access Request Code of Practice has not been updated for GDPR yet.

Get in touch

99% of the requests you receive will be straight forward but for that 1% which you maybe aren’t so sure about, remember you can use our ‘Ask Teal’ service, or simply contact one of our experts today.


Testimonial from Right Legal
"We have been using Teal to support our compliance frameworks, and every aspect of our experience with them has been fantastic. From the training to the audits, and especially the ‘Ask Teal’ helpline, nothing is too much trouble, and you get quick support from some of the industry’s best compliance experts. Just having them there to support our continued growth takes a huge weight off my mind. Highly recommend to firms of all size and structure!"
Get in touch
Testimonial from Constantine Law
"We rely on Teal Compliance to provide responsive, practical compliance services to Constantine Law (we do not have an in-house compliance officer/function). I would encourage all solicitor firms without their own resource to engage with Teal: they know what they are doing and they provide peace of mind regarding day-to-day compliance matters as well as responses to unforeseen (tricky) compliance matters. They have become an indispensable partner to Constantine Law in our growth journey."
Get in touch
Testimonial from Streathers Solicitors
"We have worked with Teal for several years. They have provided us with AML training and also helped us put together our firm-wide AML risk assessment and our updated AML policy, along with assisting us with various issues as and when they arose. We have always found them to be very helpful, friendly, responsive and knowledgeable, and are happy to recommend them."
Get in touch
Testimonial from Streathers Solicitors
"We have had a relationship with Teal for a number of years and they have provided a valuable resource to our compliance team. Teal combine the delivery of a personal and friendly service with city level expertise."
Get in touch
Previous slide
Next slide