GDPR Procedure

Purpose

This document defines the process by which RGA responds to data subject rights requests under the UK GDPR and Data Protection Act 2018. It ensures requests are handled lawfully, consistently, securely, and within statutory timeframes.

Scope

This procedure applies to:

  • All personal data processed by the consultancy
  • All data subjects (clients, suppliers, employees, contractors, and other individuals)
  • All forms of requests relating to GDPR data subject rights

Data Subject Rights Covered

RGA supports the following rights:

  • Right of access (Subject Access Request – SAR)
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making (where applicable)

Roles and Responsibilities

Data Protection Lead

  • Acts as the primary point of contact for all data subject requests
  • Assesses validity and scope of requests
  • Coordinates responses and approvals
  • Maintains the request log and audit trail

Staff

  • Promptly forward any data subject request to the Data Protection Lead
  • Support data identification and retrieval where required

Requests may be received via:

  • Email
  • Written correspondence
  • Verbal request (in person or by phone)

All staff must treat any expression of a data subject right as a valid request, even if informal.

Request Handling Process

Step 1 – Log the Request

Record the request in the Data Subject Request Log, including:

  • Date received
  • Request type
  • Requestor details
  • Deadline for response

Step 2 – Verify Identity

  • Confirm the identity of the requestor before releasing or modifying data
  • Request reasonable evidence if identity is uncertain
  • No action is taken until identity is verified

Step 3 – Assess the Request

  • Confirm which right is being exercised
  • Identify systems, records, and data sources involved
  • Assess whether any exemptions apply

Step 4 – Data Collection and Review

  • Retrieve relevant personal data securely
  • Review data for third-party information or exemptions
  • Redact data where required

Step 5 – Approval and Response

  • Final response reviewed by the Data Protection Lead
  • Response provided securely (e.g. encrypted email)
  • Provide explanation of actions taken or reasons for refusal

Step 6 – Close and Record

  • Update the request log
  • Retain correspondence and evidence securely
  • Record completion date

Timeframes

  • Requests are responded to within one calendar month of receipt
  • Extensions (up to two additional months) may be applied for complex requests
  • Data subjects will be informed promptly if an extension is required

 Refusals and Limitations

  • Requests may be refused or limited where:
  • Requests are manifestly unfounded or excessive
  • Legal or regulatory obligations prevent disclosure or deletion
  • Data includes third-party personal information
  • All refusals must be documented and justified.

 Data Security

  • All data is processed securely and confidentially
  • Access restricted to authorised personnel only
  • Secure storage and transmission methods are used at all times

 Record Keeping

The following records are maintained:

  • Data Subject Request Log
  • Identity verification evidence
  • Internal assessments and decisions
  • Copies of responses

 Training and Awareness

All staff receive periodic awareness training on GDPR data subject rights

This procedure is accessible to all staff

 Review and Maintenance

This procedure is reviewed annually or following regulatory change

signature

Approved By:   R Gauldie, Director

5th February 2026