COOKIE NOTICE: 3C Consultancy uses cookies to store information on your computer, in order to improve your experience when using our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site (using your browser), but parts of the site may not work. To find out more about the cookies we use and how to delete them, Read More.

Call us: 0333 900 3003

How Quickly Can Your Organisation Respond To Data Access Requests?


Is your organisation ready to respond to a potential rise in requests on May 25th from, clients, employees and contractors, wanting to find out what information you hold on them?

That’s the day the EU’s General Data Protection Regulation (GDPR) comes into effect, and it will bring with it big changes to the rights of individuals over how their personal information is collected and handled. It will also mean your organisation needs to respond quickly to such subject access requests (SARs).

Under the GDPR, individuals will have the right to obtain:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Other supplementary information

What’s more, every organisation will have to respond to such requests within one month, according to the Information Commissioner’s Office (ICO). Currently, organisations have 40 days to respond to SARs.

The ICO said that under the GDPR, the deadline can stretch to three months only if there are a number of requests, or the request is complex, but individuals must be informed of the reason for the delay.

If individuals make the request electronically, organisations must provide the information electronically.

There’s another important change, as far as organisations are concerned. Under the existing Data Protection Act (1998), organisations could charge a £10 administration fee to cover the cost of finding, gathering and providing data to the individual. But this will change under the GDPR. Organisations won’t be able to charge a fee unless the individual’s request is ‘manifestly unfounded or excessive’, according to the ICO.

As 3C Consultants’ Managing Director Colin Sales reveals in this video, landlords must be prepared for the GDPR’s introduction.

Procedures may need to be updated to ensure that data access requests are handled efficiently to meet the new deadline.

Housing associations need to train employees so that they know how and when to respond to those who wish to exercise their rights.

Organisations that fail to meet the one-month deadline for providing information are likely to face harsh penalties.

If you need help or would like to discuss any issue that this GDPR video series raises, please call us now on 0333 900 3003.