The Subject Access Request or SAR is one of the fundamental rights individuals have.
It will probably also be one of your busiest functions under GDPR compliance. So better to get a process sorted out for it before 25th May 2018.
Get access to the data you hold about them. Not necessarily all of it. There are provisions made for certain types of data to be held back, but you would need to be really sure of your ground. Legal advice needed if you’re going to try this.
Otherwise you need to give it all in a secure format. When I say “all” I mean “all the personally identifiable information”. Not “everything in the business”.
Pay particular attention to the PII you hold in employment records.
There are protections for Data Controllers to prevent frivolous SAR attempts. Make sure your staff know that it is really important to NOT PANIC when faced with an SAR. It is possible to think of a situation where a journalist or investigator might try to bully a business into breaching GDPR using an SAR as the excuse for doing so. You do have an obligation to protect your business and the PII you hold. GDPR allows you scope to exercise your responsibilities. So there is no need for any incidents where data is released to the wrong people.
A Subject Access Request should trigger a specific process to comply with it. You need to make sure key people know about the request and how it is going to be met. You have one month to respond, once the nature of the request and the identity of the individual have been verified. It is your responsibility as a Data Controller to record the request and how it was met. These records may need to be inspected by the ICO.