GDPR: How to demand all the data companies know about you

Citizens can demand that companies hand over the personal information they hold – Alamy

Desperate to know what information companies and organisations hold about you, but unsure how to find out? A legal mechanism for discovering exactly this is already in place, and is weeks away from being strengthened under new EU laws.

The “subject access request”, created in the Data Protection Act 1998, is your right to find out what information is held about you by companies or organisations, including an employer, and get copies of it.

Requests must be submitted in writing to an organisation, via email or letter, and limited only to personal data. Employees can request information on an assessment of performance at work, for instance. There are some exemptions on releasing data, however, such as information relating to trade secrets.

Currently, organisations can take 40 days to respond to a request and charge a fee of up to £10, with a special rule for paper based health records which can slide up to £50. But with the introduction of the General Data Protection Regulation (GDPR) on May 25 2018, this will become free and the time limit for organisations to respond will be reduced to 30 days.

Those curious about the proliferation of their data are also currently entitled to be told whether their personal information is being processed, the reasons for that, as well as if their data will be given to any other organisations or people. Those who make requests should also be given details of the source of the data, where available.

How does it work?
The Information Commissioner’s Office (ICO) recommends a relatively straightforward process for obtaining your data.

Step 1 – Find out who has your data

Before writing, research ahead to find the correct place to send your request to. If you don’t find the right person or department, you could end up having to send the request all over again.

To find out where to direct an inquiry, call the helpline of an organisation or check their website, which could include the information you need in the privacy policy.

Step 2 – Double-check everything

Make sure that all the information you’re after is included in your first email or letter. The cost of £10 per request can be re-charged if you miss something out in your initial request. If you forget to ask, you could wait up to 40 days – just to find you need to fork out again.

Step 3 – Write out a letter or email

Once you’ve done your research, you’re ready to get hold of your data. Write to the organisation with your name, address and phone number, as well as any information used by the organisation to identify you from others of the same name, such as an account number.

Within the letter or email, the ICO recommends mentioning the 40-day deadline for a response, your right to the request under the Data Protection Act 1998 and also referring to the advice that the ICO can provide to organisations. It could be worth including their website,, or phone number at 0303 123 1113, in your request.

Step 4 – Be specific

The key part of your request is including details of the specific information you require, as well as relevant dates. Examples could include asking for all emails between ‘A’ and ‘B’ between two dates, as well as CCTV footage or your personnel file from your employer.

If you’re after how much Netflix has been keeping tabs on binge-watching this year, you could ask for “all data Netflix holds on the account ‘StrangerThings123’ between 1/1/2018 to 26/4/2018, and who it has been passed to”. You could limit that to “viewing hours data”, if you wanted to get more specific. If you’re struggling with how to phrase anything in your letter, the ICO have a template here.

Alternatively, you can ask for all data a company holds on you.

Step 5 – Follow up

In an ideal world, the organisation has quickly complied with your request and you now know what your boss has been saying about you on email. But it’s also possible that companies won’t scramble to provide you with data that they’d prefer to keep to themselves.

For this reason, the ICO recommend following up with a further reminder of Data Protection Act obligations if no response is received within the 40 day period, which starts from the day the organisation receives the fee and the information they need to identify you. The ICO also advise keeping a copy of all correspondence involved in the process of the request.

Step 6 – Demand your data

When a gentle nudge fails, data subjects have another method of challenging for their information.

If the organisation refuses or ignores the request, or has not provided all the information you asked for, individuals can appeal and report concerns to the ICO. The ICO will then work with the organisation to solve the problem and see if it has not complied with obligations – though its possible the organisation may have.

To begin an appeal, visit and fill out the questions to explain the nature of your issue. Then, fill in the ‘accessing personal information concerns form’ and send it along with any other documents you wish to Alternatively, print the form out and post it to the ICO office: Customer Contact, Information Commissioner’s Office, Wycliffe House, Water lane, Wilmslow, SK9 5AF.

error: Content is protected !!