Who is it for?

If you hold any personal data, whether it’s about customers, employees or anyone else, they have a right to ask you for a copy of it (sometimes called a ‘subject access request’), which you need to provide within a month. Depending on the information you hold and the type of activity you undertake, this may be very simple indeed or extremely complex, but what you do need is a clear, straightforward process so everyone in your company knows what to do when a request comes in and how to do it. This is for any company that doesn’t already have a process in place for handling subject access requests, has a process that hasn’t been updated for a while, or has a process on paper but isn’t sure how it would work in practice.

What is included?

• Initial discussion to confirm scope and timings • Review of any existing policy and any other relevant documents • interviews, where applicable, with key members of staff • Creation of a process that works and is proportionate for your business, including if necessary a separate process for handling requests from employees • If applicable, advice on handling requests for data portability • Documentation including guidelines for those involved in the process • Review of/creating of the documentation provided to those making a subject access request • Advice on allocating roles and responsibilities, including, if applicable, coaching for those concerned • a dummy run of your new process plus any revisions to your process or documentation as a result • 2 rounds of revision to the wording of documents • Any e-mail/phone calls in the course of the work • If applicable, wording to insert in your privacy policy or on your website about customer rights and how to use them. • wrap up call • 10% discount on any further services bought within 3 months of completion

Upgrades and extras

• Remote support with your first few requests (up to 6 months afterwards) - payable at the time of the support - additional £50 • Mystery shopping, if applicable, to check that the process works - additional £50 • Employee training on how to use the new process - price dependant on number of employees and complexity of process. • Research into any legal differences relating to subject access requests in countries outside the UK per country - extra £50 per country

What is not included?

• Any additional work not listed above • Help with other rights under GDPR (objection, opt out, restriction, etc.) • Mileage, if applicable • Translation of documents (although this can be arranged and managed if required, at additional cost)

What will I get?

• A clear process and supporting documentation • The confidence of knowing you have a process in place and that it works