Hero Image

PRIVACY CULTURE DEVELOPMENT

How to handle Subject Access Requests

A detailed one-day practical workshop designed for data protection compliance teams and other
professionals responsible for managing the lifecycle of Subject Access Requests in accordance with the UK GDPR

Book Now

Course Features

Short day session 10am - 3pm

Experienced instructor

Record of attendance

Public schedule

In-company options

Course Overview

One of the principal aims of the UK General Data Protection Regulation (GDPR) is to empower individuals (data subjects) by giving them control over their personal data. These fundamental rights are set out in Articles 12-22 in Chapter 3 of the GDPR. 

They include the right of access (subject access) to ask an organisation whether it holds any personal information about them and to ask for a copy. Regardless of what area of business an organisation operates in, if it holds or processes personal data, upholding the right of access is a legal requirement. 

This practical one-day training course is intended for individuals tasked with responding to subject access requests (SARs).

Course Costs

Book this 1-day course on handling Subject Access Requests:

£395 + VAT

Package includes:

Book now

Intended Audience

This one-day course on handling Subject Access Requests is suitable for those individuals with the following roles or responsibilities: 

  • Data protection practitioners
  • Information governance professionals
  • Governance, Risk and Compliance (GRC) professionals
Course contents:

Introduction to Data Subject Rights (DSRs):

  • The rights of the data subject under the UK GDPR
  • The 8 fundamental data subject rights, including the right of access
  • Overview of the processes and procedures (Transparency & Modalities) required to ensure compliance with DSRs

Subject Access Requests (SARs):

  • What the data subject can ask for and expect to be told:
    • What data is being processed
    • Requesting access to the data
    • The purpose of processing
    • The types of personal data
    • How long it will be held
    • Who the data is shared with
    • Informing data subjects of their right to make a complaint to the ICO
    • Informing data subjects of their other DSRs
    • The source of the data
    • The logic behind automated processing
    •  Safeguards for international transfers
  • How requests can be made
  • How requests relating to children’s data should be handled
  • How to identify the data subject requesting the information
  • Identifying third-party requests of personal data on behalf of the data subject
  • Clarification of requested information
  • Handling requests that identify third-party information
  • Searches for the requested information
  • Timescales for responding to a request

Subject Access Considerations:

  • What is personal data?
  • Searches for personal data
  • Third-party data
  • Enforced Subject Access
  • GDPR and DPA18 do not cover deceased persons' data
  • Understanding the difference between SARs and normal business
  • Unstructured manual records 
  • SAR provisions and exemptions for special cases of access
    • Health, Education and Social Care data  ???????? - Work or care?

Refusing a SAR:

  • Manifestly unfounded requests
  • Manifestly excessive requests

Restrictions affecting data subject's rights (Exemptions):

  • What adaptions and restrictions different exemptions apply
  • Exemptions

Complaints and Appeals:

  • Complaints and appeals
  • Enforcement

Book now

Our clients