Subject Access Requests (SAR) are not new and although businesses should have policies in place for previous SARS, GDPR ups the ante. Under the General Data Protection Regulations there are a few key differences. Companies:
- Have to respond more quickly
- Have to provide supplementary information
- Cannot charge for responding to the request.
In addition, people can request and receive the information electronically.
Good Compliance Officers and DPOs understand the complexity and time that can be involved. As no two requests are the same, they present different challenges in each case all of which need to be achieved within tighter timescales.
A good place to start is to ensure is that your organisation, and staff, understand and recognise Subject Access Request. For example, if somebody asks why you are holding their personal data it doesn’t necessarily mean that they are requesting their data. Developing procedures to clearly identify the scope of a Subject Access request will ensure that you have a definitive point when the clock starts ticking.
What is a Subject Access Request?
Under GDPR, the ‘right of access’ gives individuals the right to request the personal data that a company holds on them. The aim is to help people understand why and how companies use their data, as well as who it is disclosed to. Much of this information may already be available in your Privacy Notice.
The ICO states that individuals have the right to obtain the following from you:
- confirmation that you are processing their personal data;
- a copy of the personal data you hold on them; and
- other supplementary information corresponds to information in your Privacy Notice
This means that the request must also fall within the definition of personal data.
A person may only receive their own personal data, and no other information relating to anyone else. You will need to develop procedures that all information relating to other data subjects is properly identified and deleted. This can be a time-consuming activity, which must be allowed for in terms of the 30-day time frame allowed. Imagine trying to go through hundreds (if not thousands) of emails containing data on multiple data subjects!
Identifying a SAR
The GDPR does not specify exactly how requests should be made. This means that a request could come:
- Verbally or in writing
- To any department (including via a social media fan page)
- To any member of staff with a data subject facing role
Staff in receipt of a Subject Access Request should be trained to clarify that the individual is, in fact, making a request for their own personal data. They should be aware that the request itself might not include the phrase ‘subject access request’ or refer to Article 15. It is important that staff understand the importance of processing requests securely and efficiently in order to achieve the 30 day response.
Prior to providing any personal information to a recipient, your organisation will need to have procedures in place to verify the individual’s identity. You will be handing over personal information, and so need to ensure that data subjects making requests are who they say they are.
It is important to establish criteria for identifying individuals that is appropriate and proportionate to the information being provided.
For example, if the data concerned is of a sensitive nature (such as special category or credit card data) you may want to see government identification such as a passport or driving licence. However, if the data is related to less sensitive information such as contact details, purchase history or demographic information then you may accept information such as mothers maiden name, year of birth, etc.
The decision on what information to use should be backed by a risk assessment to ensure that it sufficiently protects that data, whilst not hindering the data subject’s right to access their data.
Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, even verifying in writing for clarity, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of verbal requests.
Rules affecting response times
Businesses should respond to a SAR ‘without undue delay and in any event within one month of receipt of the request.’ For a standard request, you need to reply within one month of the original receipt of request.
However, there are some exceptions:
- You can extend the deadline by a further two months if the request is ‘complex’ or if you have ‘a number of requests’ from the individual.
- You can refuse to deal with a request if it is ‘unfounded’, ‘excessive’ or ‘repetitive in nature’. Alternatively you can request a ‘reasonable fee’ to action it.
Either way, you need to inform the individual within the one month deadline, justifying your decision and clarifying any extension period. The requested information should be provided using a commonly used electronic format.
Historically. the mistreatment of Subject Access Requests has been the main data protection complaint from the public. In 2016, the biggest proportion of concerns raised (42%) related to individuals’ rights to access their personal data held by organisations.
Subject Access Requests are a complex area. Further issues arise when handling requests for large amounts of data, requests made on behalf of others and if data includes information on other people.
As the number of requests
Don’t underestimate the importance of raising awareness within your organisation of what a Subject Access Request is. Assess the requirement to train key staff who will directly affect your ability to deliver accurate, comprehensive information on time.
> Coming soon
How to deal with Subject Access Requests
Subject Access Request Form Template