Skip to main content


We are now offering Virtual Training to customers, if you are interested please visit the Virtual Training page and contact us  

Spotlight on……Data Subject Access 

Data protection law provides data subjects with the right of access to their personal data being processed by an organisation. This right is designed to help individuals understand how and why an organisation is using their personal data and to check that they are doing so lawfully.  

To support this, individuals have a right to obtain the following information when making a subject access request: 

  • confirmation that you are processing their personal data 
  • a copy of their personal data 
  • other supplementary information: 
  • your purposes for processing 
  • categories of personal data you’re processing  
  • recipients or categories of recipient you have or will be disclosing the personal data to (including recipients or categories of recipients in third countries or international organisations) 
  • your retention period for storing the personal data or, where this is not possible, the criteria for determining how long you will store it 
  • the individual’s right to request rectification, erasure or restriction or to object to processing  
  • the individual’s right to lodge a complaint with the Information Commissioner’s Office (ICO)  
  • information about the source of the data, if you did not obtain it directly from the individual  
  • whether or not you use automated decision-making (including profiling) and information about the logic involved, as well as the significance and envisaged consequences of the processing for the individual  
  • the safeguards you have provided where personal data has or will be transferred to a third country or international organisation. 


The right of access only applies to the individuals own personal data, unless someone is making the request on behalf of someone else, for example a solicitor, family member, friend or other legal representative. 

The right of access relates to personal data rather than business information.  Guidance is provided by the ICO to assist organisations to comply with the law. 

There are exemptions which allow you to withhold information from your disclosure under this right.  These exemptions can be found at Schedule 2 of the Data Protection Act 2018. You should read the exemption carefully to ensure that it is applicable to the data you wish to withhold and is therefore engaged. 

Any disclosure must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. If the requester submitted their request electronically you should make disclosure in the same way, ensuring adequate security is applied. 

Subject Access can be a complex area of work.  We provide a range of CPD accredited training on this topic, as well as a pay as you go service for preparing disclosures under the subject access provisions.  Please contact us for more information.