This is a guest post by Patrick O’Kane, author of the new book A Practical Guide to Managing Subject Access Requests under GDPR.

“Knowledge is power. Information is liberating” –  Kofi Annan

How much personal data do you hold on individuals?

A former Google CEO said “Every two days now we create as much information as we did from the dawn of civilization up until 2003”.

In a world awash with data, most companies hold more personal data on customers than we need.

Many individuals have been shocked to find the sheer amount of the personal data companies have on them when they have made Data Subject Access Requests (‘Access Requests’) for their personal data.

Max Shrems, the Austrian Privacy campaigner, made an Access Request against Facebook for his personal data. Facebook had 1200 pages of his data including all his messages, likes and information about his location.

Companies hold personal data on individuals in a myriad of ways including call recordings, emails, electronic records, CCTV footage, browsing history and payment data.

A recent study showed that dealing with Access Requests can cost in the region of $2 million a year.

Why am I hearing so much about Privacy Regulation?

Companies often feel they are playing Whac A Mole with new Privacy Regulation. Every time you slap a new one down, another pops up somewhere else.

At Gartner’s recent Security & Risk Management Summit they said that in 10% of the world’s population in 2020 had a modern Privacy Law regulating the use of personal data.  They predict that by 2023, 65% of the world’s population will have a modern Privacy Law.[1]

Which Privacy Regulations allow customers to access their personal data?

Since 2018, we have had major Privacy Laws implemented in the EU (GDPR), the US (CCPA) and Brazil (LGPD). A major new Privacy Law is expected in India (PDPB) in 2021.

These Regulations have many features in common including a Right of for customers to Access personal data. Under many Privacy Regulations an Access Request is usually a right for an individual to access and receive a copy of all of the personal data your company holds on them.

The challenges of the Right of Access

In the digital age, companies hold more data on us now than ever before. In the old days, most or all of the personal data held by a company on a client was in a file in a dusty filing cabinet. In the Information era, companies may hold all manner of client data including data relating to their online activity, their marketing preferences and even call recordings.

The Search for the requestor’s personal data could include a search of all relevant electronic and paper systems including:

It does not matter where in the world the data is stored. The Right of Access usually applies to personal data stored anywhere in the world.

Much of the personal data you hold on customers may be held off premises including data held in the public cloud. Personal data is often held by a multiplicity of vendors and business partners.

Then there is the dreaded email. One UK Access Request made by an employee to their employer necessitated the review of 500,000 emails at a cost of $150,000.

How does my company deal with the challenge of Access Requests?

There are three steps you can take to ensure Access Requests are dealt with properly within your company.

1.       Records Management – Records management ensures that you do not keep old or obsolete personal data have strict time limits for the deletion of your records. Records Management is too often ignored within companies.

If data is not subject to a deletion cycle, then data can accumulate and cause risks and liability to companies. Deleting data regularly means there is less to locate and disclose in the event that you receive an Access Request.

2.       Procedures –You need policies and procedures that set out the rules of the game for your employees in terms of dealing with Access Requests. Your policies and procedures should include details on how individuals can make an Access Request and how the company should search for the data across various locations and systems.

3.       Train, train, train – Many of your staff will interact with individuals and customers. Would each of those staff members know what to do if a customer said to them “I want a copy of my data” or “I want to access all my data”? They should know because that customer has just made an Access Request and the clock is now ticking against your company. All staff should have some general knowledge of Access Requests and this could be included in your general Privacy Training module. Some departments will require more detailed knowledge of Access Requests such as IT and HR as they relate to their department.

Patrick O’Kane is an In-House Lawyer (Barrister) and is Head of Privacy at a Fortune 500 Company where he helped lead a major GDPR implementation project across a group of more than 100 businesses. Patrick is the author of the book ‘A Practical Guide to Managing Subject Access Requests under GDPR’ available from He is also the author of the book ‘GDPR – Fix it Fast: How to apply GDPR to your company in ten steps’ available from Brentham Publishing and on Amazon. Patrick is Certified in EU and US Privacy Regulation and was made a Fellow of Information Privacy by the International Association of Privacy Professionals in 2020. He can be reached at