data request GDPR

GDPR states that individuals, or data subjects, can request any data that is being held about them. This type of request is officially called a ‘Subject Access Request’ (SAR). If this request is made, you must respond in the correct way. Here’s how to stay GDPR compliant when responding to an SAR.

When to send the data

You must provide the data within 30 days of the request being made.

When is it ok to charge?

You cannot charge for a standard data request. But if it is manifestly unfounded or excessive, or if they ask for further copies of their data after already making a request, it is acceptable and in line with GDPR, to charge a reasonable fee.

Identity check

You must make sure that the person requesting data is who they say they are, and that the information relates to them. GDPR puts the responsibility of this with the data processor (you). You can do this by asking them to provide forms of ID but you must do this in line with data protection laws. Let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information.

Secure Sending

When sending the data, ensure that it is encrypted with a password and send the password either via email or text message. For extra security, make sure the password is in a separate message to the encrypted data.

Need some help?

LeadLabs provides an easy tool to access specific data and send it to those requesting. This means it’s nice and simple to respond to a Subject Access Request. Interested in trying out Leadlabs GDPR-compliant lead generation tools? Why not try it out for free.


We promise. No spam.