Show me the data (Right of Access)!

Right of access by the data subject

For the next few weeks we will focus on the rights of the data subject in our The Articles series, this week we look at Article 15 – Right of access by the data subject, one of the key rights GDPR bestows on Data Subjects.

The GDPR Article 15 states:

“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data…”

What does this mean if you collect personal data?

A data subject (the living person the data relates to) can request details the personal data you hold on them and you must provide access to that data. If the request has been made electronically (e.g. via email or on-line portal) you must provide the data in a common electronic format (e.g. .csv file).

You most provide this service for free, usually, and you must provide this data as soon as possible but not later than one month from the request being made.

Sounds simple right?

In additional to the data you must also provide the following information:

  • The Purpose of the processing
  • The Categories of personal data concerned
  • The recipients or categories of recipient the data has been or will be disclosed to
  • The data retention period

Anything else?

You must also inform the data subject:

  • Of their right to request rectification or erasure of personal data or restriction of processing of personal data or to object to the processing of the data
  • Of their right to lodge a complaint with a supervisory authority
  • Where the data was collected from if not from the data subject, if possible
  • Of the existence of automated decision-making, including profiling, and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

But do I even know where it all is?

A newly designed system built with GDPR in mind (Privacy by Design) should be able handle these requests easily, with all data correctly catalogued and portal access for data subjects.

The issue comes with large complex systems, those that have evolved over time, merged with others systems and with organisations that have a number of disparate systems.

Knowing where all this personal data is and being able to collect it and provide all the information requested by a data subject has the potential to become a real burden for many organisations.

How should I prepare?

Update your processes and procedures to ensure Data Subject Access Requests (DSARS) are handled correctly in line with GDPR.

Conduct a Data Protection Impact Assessment (DPIA) before changing any existing systems or building new systems.

Build new systems to handle DSARS efficiently.

Complete a Data Inventory for your entire organisation, remember, Data subjects are not just customers, they are employees, contractors, tradesman, suppliers etc.

GDPR Data Inventory

Complete a data mapping exercise to document all personal data you hold, where it is stored and what processing is done on that data and any other information relevant to the GDPR.

This is more concise than a traditional Data Inventory as it is specific to GDPR data types but more useful as it captures the data processing details specific to GDPR.

The data inventory will assist in the servicing of DSARS and future system changes and DPIA’s.

How can we help?

GDPR Auditing and our Partners can assist you through our range of services including, DIPA’s, Data Inventory creation, Audit and training.

If you would like to know more about how GDPR Auditing can help your organisation with the GDPR email us at or if you have any questions about this post email the author

© GDPR Auditing 2017.

The information provided in this post is for general information only and is not intended to provide legal advice.