Do your managers:

  • know how to identify a subject access request?
  • Understand that responding to a subject access does not mean simply providing copies of documents?
  • Appreciate the risks of failing to handle a subject access request correctly
  • Know when they can say no?


Under the General Data Protection Regulation (GDPR), every individual has the right to make a subject access request to any organisation that they believe may be holding, sharing or using their personal data. Subject to certain exemptions, an organisation receiving such a request must provide the individual with details of any data that they hold about that person, how it is being used, where it came from and who it may be shared with.

The managers who have to deal with subject access requests often find the process unnecessarily daunting and stressful with many feeling that they do not have a clear grasp of what is expected of them. Responding to a subject access request requires a good understanding of the statutory formalities and procedures as well as the ability to apply the technical exemption provisions and, on occasion, weigh up the competing interests of different parties. Failure to deal correctly with a subject access request can, and does, lead to intervention and enforcement action by the regulator.  

The aim of this course is to ensure that managers fully understand how to approach a subject access request and are able to prepare a legally compliant response efficiently and confidently using the template toolkit that will be provided to every delegate.


The objective of this half day course is to ensure that delegates:

  • can recognise a subject access request and have a good working knowledge of the formalities requirements that apply when preparing a response
  • are able to carry out effective searches for relevant personal data and provide all of the required information in their response
  • are aware of the need to review and understand when to redact information prior to disclosure or to apply exemptions
  • understand when vexatious requests can be refused
  • have a toolkit of precedent documents and guides to use when dealing with subject access requests in practice. 

Course outline

  1. Formalities and scope of subject access requests
  2. Conducting the search for personal data:
    • searching electronic files
    • searching manual files
  3. Deciding what to disclose:
    • what is (and what is not) personal data?
    • dealing with third party data
    • applying exemptions
  4. Preparing the response using the template toolkit
  5. How should a subject access response be sent – practicalities and security
  6. Dealing with dissatisfied data subjects – vexatious requests and complaints to the ICO

To discuss your specific requirements and get a quote, please contact Kitty Rosser on +44 (0)1603 756559 or [email protected].

Key contacts

Meet the full team


* denotes required fields.