Free tools and resources for Data Protection Officers!

Responding to subject access requests

There’s nothing like a data subject access request to force an inter-departmental huddle. For U.S.-based DPOs, the exercise may feel a bit like responding to a litigation discovery request. (Indeed, the role of litigation and privilege concerning SARs is an issue explored in Thomas Shaw’s May 2017 post ). Access to what personal information is gathered and how it’s used is one of the fair information practices (FIPS) , already obligatory under Member State law implementing the EU Data Protection Directive, so for seasoned European privacy professionals there may be only modest adjustments needed to an existing SAR policy to conform to the EU’s General Data Protection Regulation before the May 25, 2018 deadline.

Source: Responding to subject access requests