If you hold any personal data, whether it’s about customers, employees or anyone else, they have a right to ask you for a copy of it (sometimes called a ‘subject access request’), which you need to provide within a month. Depending on the information you hold and the type of activity you undertake, this may be very simple indeed or extremely complex, but what you do need is a clear, straightforward process so everyone in your company knows what to do when a request comes in and how to do it.This is for any company that doesn’t already have a process in place for handling subject access requests, has a process that hasn’t been updated for a while, or has a process on paper but isn’t sure how it would work in practice.
What is included?
•Initial discussion to confirm scope and timings•Review of any existing policy and any other relevant documents•interviews, where applicable, with key members of staff•Creation of a process that works and is proportionate for your business, including if necessary a separate process for handling requests from employees•If applicable, advice on handling requests for data portability•Documentation including guidelines for those involved in the process•Review of/creating of the documentation provided to those making a subject access request•Advice on allocating roles and responsibilities, including, if applicable, coaching for those concerned•a dummy run of your new process plus any revisions to your process or documentation as a result•2 rounds of revision to the wording of documents•Any e-mail/phone calls in the course of the work•If applicable, wording to insert in your privacy policy or on your website about customer rights and how to use them.•wrap up call •10% discount on any further services bought within 3 months of completion
Upgrades and extras
•Remote support with your first few requests (up to 6 months afterwards) - payable at the time of the support - additional £50•Mystery shopping, if applicable, to check that the process works - additional £50•Employee training on how to use the new process - price dependant on number of employees and complexity of process.•Research into any legal differences relating to subject access requests in countries outside the UK per country - extra £50 per country
What is not included?
•Any additional work not listed above•Help with other rights under GDPR (objection, opt out, restriction, etc.)•Mileage, if applicable•Translation of documents (although this can be arranged and managed if required, at additional cost)
What will I get?
•A clear process and supporting documentation•The confidence of knowing you have a process in place and that it works