Businesses – whatever their size – sometimes find themselves on the back foot when dealing with the increasing GDPR compliance obligations. And it’s not surprising. GDPR has the protection of the rights of individuals at its core. The laws are all about giving customers, clients and consumers greater control over how their personal data is used. One example of this is the right of access. Individuals have the right to ask a company if they are using the individual’s personal information and to request copies of the information held. These requests are known as subject access requests or SARs.
Any organisation that’s subject to GDPR should have a framework in place to handle SARs and ensure that all responses are made in accordance with the law. Dealing with SARs and other aspects of data protection law can be a burden on company resources. Part of our role as data protection lawyers is to advise you on procedures and protocols you can implement to ensure compliance in a proportionate, cost-effective and transparent way.
We discuss the main issues around SARs below.
- What is a subject access request?
- What's included in a subject access request?
- Documenting a subject access request
- What if a subject access request is verbal?
- Do subject access requests have to be in writing?
- Confirming a data subject's identity
- How long do you have to respond to an SAR?
- What is personal data under GDPR?
- Are there any subject access request exemptions?
- Refusing a subject access request and repeat requests
- How to respond to a data subject access request
- Recording your response
- Impacts on any data processors your business uses
- Can an organisation charge for a subject access request?
- How long do you need to hold data for?
- Designing a sensible data retention policy
- Designing an efficient process and using templates
What is a subject access request?
A subject access request is a request made by an in individual to access their personal information that is held by an organisation.
It’s essential that your employees are always alert to the possibility that any request from an individual could be a subject access request. An SAR will ask some or all of the following:
- What personal information an organisation holds about the individual
- How the organisation uses it
- Who the information is being shared with
- Where the information came from
What's included in a subject access request?
SARs don’t need to follow any particular format and they don’t need to be in writing. So long as it’s clear that the requester is asking for their personal data there is no need for him or her to mention GDPR or the phrase ‘subject access request’. This can be challenging so it’s important to train your staff so they can recognise requests.
Documenting a subject access request
When you have identified an SAR you should document it and date it. That way, you know when the time limit for responding expires. Remember, you only have one month to respond, and only in certain circumstances can the response time be extended. You should also make sure that no information relating to the individual who made the request is deleted pending your compliance with the SAR. It’s a criminal offence to modify data with the intention of undermining a subject access request.
What if a subject access request is verbal?
GDPR doesn’t oblige individuals to make SARs in writing. Staff should be equipped to deal with requests made verbally and to make appropriate records. However, you should ask the individual to follow up the verbal request in writing and point out that this is in keeping with Information Commissioner’s Office (ICO) guidance. Businesses may find it useful to refer the individual to a SAR form, which may make it easier for you to locate the data they want. They don’t have to complete the form, but it would make it easier for you to understand the background for the request, as well as include information that you may need to deal with it.
Do subject access requests have to be in writing?
There is no prescribed way for an individual to make a subject access request. This means SARs may come to your organisation via Facebook or another social media platform. It’s up to you to assess the likelihood of SARs being placed on your social media accounts and to have procedures in place to respond effectively.
Confirming a data subject's identity
Your organisation is entitled to be satisfied that the person making the SAR is who they say they are. If in doubt you can ask for confirmation of their identity (presentation of a passport for example) but you must let the requester know you need identification as soon as possible. In requesting identification you must act proportionately. It wouldn’t necessarily be reasonable to ask a long-standing customer for proof of identity. Time limits for responding only begin once the requesters identity has been confirmed.
How long do you have to respond to an SAR?
The ICO expects companies to respond to subject access requests without ‘undue delay’. However, under the rules you have one calendar month to respond to an SAR. Logistically, many organisations adopt a 28-day period in which to respond because of the variation in the number of days in each calendar month. This time limit may be extended in cases where you must establish the requester’s identity or where you are charging a fee to process the SAR (see below). In addition, you can extend the one-month limit by two more months in complex cases, but you must provide the requester with reasons for doing so. Lack of resources or dealing with the SAR late because you haven’t got round to it, are not justifiable reasons for an extension of time.
What is personal data under GDPR?
Under GDPR, ‘personal data’ is information that relates to an identified or identifiable individual. This could be a name or a number or could be another identifier such as initials, an ID number or an IP address. Personal data also includes any recorded opinion of an individual.
When you receive an SAR and are satisfied as to the identity of the requester, you should search all company databases and systems where the data may be held to establish what personal data you hold on the individual. Data can be audio and visual as well as written documentation.
It does not matter that information does not refer to an individual by name, as long as they can be identified by other means, for example, their initials or ID number. Personal data may be known to the individual or within the public domain.
Are there any subject access request exemptions?
The data protection regime affords certain, extensive rights to individuals. But these rights are curtailed in specific situations so that categories of information are exempt from being disclosed. The right of access (under which SARs are made) has a number of relevant exemptions, including:
- information that’s subject to legal professional privilege
- information that might result in your self-incrimination (i.e. committed an offence)
Refusing a subject access request and repeat requests
In addition to the situation where an exemption applies, your organisation does not have to provide information requested under an SAR if it is:
- Manifestly unfounded – This could be where a requester is acting maliciously or has indicated he or she is only making the SAR to cause disruption. Similarly, an SAR could be regarded as manifestly unfounded if it is designed to target or harass an individual employee at your organisation
- Excessive – AN SAR might be excessive if it is a repetition of a recent request or if it overlaps with other, similar requests
It’s important to consider each case on an individual basis and you must be able to explain your reasons for refusing to comply with an SAR if the ICO requests you to do so.
How to respond to a data subject access request
GDPR states that you should provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
There are no hard and fast rules about the format in which you disclose information in response to an SAR. However, the expectation would be that if the request is made by email, your response should also be by email. Some organisations make a point of asking the individual how they would like the information disclosed. This is particularly advisable if the response will include highly sensitive information.
Recording your response
You should always keep a record of your response to an SAR and retain details of your reasoning and decision-making process in relation to the information disclosed. There is always the possibility that the requester will be dissatisfied with your response and escalates the matter by contacting the ICO with his or her concerns.
Impacts on any data processors your business uses
If your organisation relies on outside companies to act as data processors of information you control, it’s your responsibility, as the data controller, to ensure that they are equipped to deal with SARs. For an explanation of the difference between data controllers and data processors, please see our guide to personal data.
Can an organisation charge for a subject access request?
You can’t usually charge to respond to a subject access request. However, you can charge a reasonable fee if you agree to comply with an SAR that’s excessive or manifestly unfounded (remember you don’t have to comply with an SAR in these situations). You may also charge a fee if the individual asks for additional copies of their data. When charging a fee you must let the individual know. You aren’t required to comply with the SAR until you are in receipt of payment.
How long do you need to hold data for?
Under GDPR there is no specified time period for holding onto personal data of individuals. Under the storage limitation principle, you cannot retain data for longer than you need it. And the longer you hold onto data the more difficult it will be to establish a lawful basis for holding onto it.
From your point of view it makes sense to review the data you hold and to delete data you no longer need. This reduces the risk that the data will be used in error. It also reduces the amount of data you will have to sift through in response to an SAR. A data retention schedule would be helpful as it would trigger when data would need deleting.
Designing a sensible data retention policy
GDPR obliges you to develop sensible data retention policies where possible. You should set out:
- The types of record or information you hold
- What you use the information for
- How long you intend to keep it
Smaller organisations won’t necessarily need a formal data retention policy. However, even if you are not processing or controlling a lot of information you should still regularly review the information you hold and delete it if you no longer need it.
Designing an efficient process and using templates
Subject access requests may be viewed as just another administrative burden on small and medium-sized companies. But under GDPR subject access to information is a fundamental right. By developing streamlined and proportionate procedures you can enhance the service you provide to customers and consumers. The ICO points out that many complaints it receives relating to SARs can be avoided if good practice is followed and straightforward, company-wide policies are implemented and followed. Some ways to develop an effective process include:
- Investing in staff training so that relevant staff understand how to handle SARs
- Producing templates for different types of response to ensure a consistency of approach to all SARs
- Providing guidance on subject access on your company’s intranet or in internal policy booklets. This should highlight the repercussions for the failure to respond appropriately to SARS, including adverse publicity and potential fines and regulatory scrutiny
- Putting in place a robust system of registering and monitoring SARS when they are received
- Create a dedicated team to handle SARs and other GDPR matters
- Ensure that data disclosed under an SAR does not contain data relating to another individual
- Ensuring a senior employee is equipped to review an SAR response if the requester makes a complaint
- Monitoring SAR compliance and creating a fast track procedure to escalate SARs that are not dealt with within prescribed time limits