GDPR register of data subject access requests

The UK GDPR requires you to demonstrate that you’re complying with the data protection principles. Maintaining a GDPR register of data subject access requests can help you show that you’re observing subject access rights.

Accountability

The UK GDPR requires you to demonstrate that you’re complying with the six data protection principles. This is known as the principle of “accountability”. It’s not obligatory to maintain a central register of data subject access requests (DSARs) but doing so can help you demonstrate that you’re complying with subject access rights.

Register contents

Our GDPR Register of Data Subject Access Requests enables you to record the dates of receipt and response, the deadline or extended deadline for response, whether you took steps to verify the individual’s identity, whether you charged a fee or refused the request, whether subject access rights were restricted in any way and whether any follow-up action is required. This last follow-up column is designed to highlight any cases where subject access rights have not been fully complied with and what action has been taken in response, e.g. modification of procedures to reduce the risks of future non-compliance.

Restricted rights

The Data Protection Act 2018 contains some exemptions to information that must be disclosed in response to a DSAR. These include exemptions in relation to: personal data covered by legal professional privilege; data processed for the purposes of management forecasting or management planning; data consisting of records of your intentions in relation to negotiations with the employee and confidential employment references. In addition, you can redact or restrict disclosure where, for example, the information that is sought also contains third-party personal data. You can record any applicable exemption or limited disclosure under the restricted rights column.