GDPR Subject Access Requests – How to Handle Compliantly

GDPR Subject Access Requests

If you are an online business or even a blogger in 2020, you must know how to handle GDPR Subject Access Requests.

In May 2018, a new General Data Protection Regulation came into force in the EU. However, this law also affects any business serving residents of the EU. Here, we’ll look at what a GDPR Subject Access Request is. More importantly, we’ll look at what steps you need to take if you receive one.


What are GDPR Subject Access Requests?


If you collect personally identifiable information from visitors to your website, your website users can submit a Subject Access Request (SAR) asking you to reveal what information you have collected and why.

In most cases, GDPR Subject Access Requests will take the form of emails. However, GDPR guidelines do not define how a Subject Access Request might be made.

  • Most SAR requests are made by email. This being the case, you need to make it easy for people to contact your website.
  • A SAR request can be made in writing and delivered to your listed business address.
  • GDPR Subject Access Requests can also be verbal.

It is also possible to receive a SAR request via social media. This being the case, you must regularly monitor all communications with your business, via mail, telephone, email, and any social media platforms you use.


Identifying and Verifying GDPR SAR Requests


Being able to identify a SAR request as soon as a request is made is vital in the era of GDPR.

As soon as you receive a Subject Access Request, you have 30-days to respond. If you fail to do so, you may risk hefty fines for non-compliance with GDPR. However, you also need to be able to verify the identity of a person submitting a SAR.

It is possible that someone might make a Subject Access Request, to trick you into disclosing information belonging to a third party. For this reason, you should refrain from satisfying requests until you have verified a SAR senders identity.

How to Verify SAR Request Sender Identities

  • One easy way to verify the identity of people making SAR requests is to check sender email addresses against details you have on record.
  • In the case of an e-commerce business, it may be possible to verify the mailing address of SAR.
  • If it is not immediately possible to verify the identity of a person sending a SAR request, you can ask to extend SAR request response times. (Typically, for up to 3-months.)

It is also possible to refuse GDPR Subject Access Requests, if doing so may result in disclosure of information belonging to a third-party without their express permission.

Ask SAR Request Senders to Clarify what Information they Require

Every business and website is different. As a blogger, you might only collect website user information in the form of occasional subscriber email addresses. As an eCommerce business, though, you might gather everything from user email addresses to credit card billing information.

Sadly, in many cases, people sending Subject Access Requests are prone to making vague requests such as the following:

“Dear Sir or Madam

Please supply the personal data you hold about me, which I am entitled to receive under the EU General Data Protection Regulation.”

When SAR requests like this are vague, it is advisable to respond by asking senders to clarify what information they are looking for. Alternatively, when people do request specific information, it will be necessary for you to provide this with a clear justification of your reasons for having gathered this data.

Compliant Reply to GDPR Subject Access Requests

  • In your SAR response, you should clarify why you are in possession of the data you hold. It is also necessary that you make clear what legal justification you have for collecting this information.
  • With any SAR response, it is necessary to explain how you store data. You should also list what (if any) third parties have access to the data in question.
  • Your website or business must clarify how long you plan to keep data and why.
  • In your SAR response, it is necessary to clarify how data was initially collected. If possible, you should also provide evidence of people having consented to you gathering their data.
  • When responding to any SAR request, you should advise people that they have a right to request that you delete data.


Your SAR Response Should be True to Your Privacy Policy


If your business is GDPR compliant, your website privacy policy will already outline what data you gather on users and why. Please see our Privacy Policy as an example. This being the case, responding to SAR requests will usually be simple. All you will be doing is confirming that a person’s data has been handled correctly. If you wish to learn more about about getting your business GDPR compliant, visit our IASME Certification and GDPR page for more information.


Is your business GDPR compliant? If not, a SAR request you can’t satisfy could see you incur fines equivocal to 4% of your worldwide turnover. This being the case, don’t wait. Take the steps you need to take now to ensure your business is fully GDPR compliant.


GDPR Subject Access Requests for your business

If you are looking for assistance in keeping your business GDPR compliant, contact one of our friendly experts today.

Recent Comments

    Leave us a message

    Our Security Professionals can help you with your enquiry and usually respond to enquires within 2 business hours. If you require a faster response, try our live chat