Small businesses & the GDPR Right of Access

Please note this information is now out of date - please refer to the ICO for up-to-date GDPR information. 

How small businesses can implement the GDPR Right of Access

Your customers now have the right to access the data you hold about them. This means they can ask to see a copy of all personal data you store about them and they can also ask to verify the lawfulness of the processing you do with their data.

This request can be made by any means: written, email or verbally and you need to have the capability to do this within one month.

You should always attempt to verify the identity of the person making the request before proceeding - typically by having them state the full name, address, postcode and perhaps other details in the customer record prior to providing the information.

Can I charge a fee for dealing with a subject access request?

You must provide a copy of the information free of charge. However, you can charge a ‘reasonable' fee when a request is manifestly unfounded or excessive, particularly if it is repetitive.

You may also charge a reasonable fee to comply with requests for further copies of the same information. However, this does not mean that you can charge for all subsequent access requests and the fee must be based on the administrative cost of providing the information.

What you need to do

Realistically, for most small businesses you'll need to be able to email or print out your customer record - even if that is only screenshots of your system you are still respecting the principle of their rights. If you hold any extra data about "meta" subjects such as interests, religion, social issues, etc., you should always make sure it is included.

If the customer has placed many orders with you, for example, there is no automatic reason to include this as it doesn't typically constitute personal data.


If you can justify the time/cost you could create a web form that allows people to leave their details and allows them to pick which of their GDPR rights they want to exercise. It should then email you all of that information for you to act on. You can see an example here.

Of course, if you have a system that your customer can log into just make sure that all of their information is available within their Account area - your Privacy Policy could then reflect this, potentially saving you from the time lost in manually dealing with any Right of Access requests.

Further details about the Right to Access can be found on the ICO website here.