Summary
Under GDPR/UK GDPR, any individual can request access to their personal data (a “DSAR”). Controllers must reply in a concise, transparent and accessible way, free of charge (except in limited cases), and within one month. Complex or numerous requests may be extended by up to two more months—you must tell the requester about the extension and the reasons within the first month.
What you must provide
Minimum requirements
If the request is made electronically, provide the information in a commonly used electronic format unless they ask otherwise.
Confirmation that you process their personal data
A copy of the personal data
Purposes of processing
Categories of personal data
Recipients (or categories), including international transfers
Retention period or criteria
Their rights (rectification, erasure, restriction, objection, portability)
The source of the data (if not collected from the individual)
Any automated decision-making, including profiling, and meaningful information about the logic involved
Timelines, fees and extensions
One month from receipt to respond.
You may extend by up to two months for complex/volume reasons—notify within one month and explain why.
Responses are free; a reasonable fee is allowed only if the request is manifestly unfounded or excessive, or for additional copies.
Verifying identity
If you have reasonable doubts about who is asking, request additional information to verify identity—pause the clock until reasonably verified.
Narrowing or refusing requests
You can ask the requester to clarify scope (e.g., date range, systems). You may refuse or charge a fee for manifestly unfounded or excessive requests. If refusing, explain why and tell them how to complain to the supervisory authority.
Record-keeping
Keep an internal log of requests, decisions, dates, identity checks, the data provided, and any exemptions relied on.
Manager checklist
Logged the request date and verified identity
Scoped systems and data sources; searched comprehensively
Compiled data + Article 15 information in plain language
Applied redactions where needed (third-party data, legal privilege)
Responded within one month or issued a timely extension notice
Recorded the decision and retained evidence of your response
How iProtectU helps with GDPR
IIRSM-approved GDPR awareness training – assign our IIRSM training to staff/managers, track completion, and schedule refreshers.
Policy & document management – publish privacy notices, retention schedules and procedures using our document management software; version control ensures a full audit trail.
Vendor/processor records – store contracts, data processing agreements and due-diligence checks.
DPIAs & risk logs – consistent templates, actions and reviews to manage high-risk processing.
Tasking & reminders – owners, due dates and renewals for RoPA, DPIAs, policy updates and vendor checks.
Dashboards & reporting – real-time view of training, policy acceptance, actions and expiries for audit readiness.
Need to tighten GDPR controls, train staff or manage your risks?
Book a demo and see how iProtectU keeps you audit-ready.
Next in the series (Part 5): Personal Data Breach Notification (72-hour rule)
This article provides general guidance and is not legal advice.
Next in the series (Part 5): Notification of a personal data breach.
Missed a Part, please click here?
Part 1: GDPR basics for managers — why it matters and how iProtectU helps.
Part 2: Consent that’s freely given (and provable)
Part 3: Special category (sensitive) data
Part 5 (coming next): Notification of a personal data breach
GDPR FAQs
OurFAQs guides enable you to make informed decisions about how our health and safety software can benefit your organisation.
For anything else please request a demo, call or send us an email.
You must stop the processing based on that consent and log the withdrawal. Keep a record that consent was previously given/withdrawn.
No. Consent must be an opt-in via clear affirmative action.
The UK applies the UK GDPR alongside the Data Protection Act 2018; it mirrors GDPR principles closely. If you operate across regions, design for the higher standard.
No. Consent must be specific—give separate choices for each purpose.
No. Consent is one of six lawful bases. For many HR or service-delivery activities, contract or legitimate interests may be more appropriate—document your choice.
A Data Protection Impact Assessment evaluates high-risk processing (e.g., large-scale monitoring, special category data). It documents risks and the measures you’ll put in place.
If a personal data breach is likely to risk people’s rights/freedoms, report to the supervisory authority within 72 hours and inform affected individuals when required.
Yes—book a free demo and we’ll tailor a walkthrough to your industry, data and processes so you can see how iProtectU fits your organisation.
Refresh when your purposes, technology or context change, or when consents become stale for the risk involved.
