'I’ve received a subject access request. What should I do?'
A subject access request (SAR) is a request made by an individual to access their personal information held by an organisation. The individual is entitled to do so under UK GDPR.
A SAR can be made to any person or function at your organisation and there’s no need for the data subject to explain why they want it. Responding to a SAR can take up a lot of time and resources and in most cases, must be responded to free of charge.
Having a suitable process in place can help keep your customers happy, while ensuring your business is compliant with UK GDPR.
What shall I do first?
- Be able to identify a SAR – A SAR can be made orally or in writing to any person in an organisation. There’s no need for the individual (data subject) to make a request in writing. It’s as simple as saying 'I want all information that you have on me since I began work'.
- Identify the data subject – You have one month to respond once you have confirmed their identity. This can be extended for a further two months if the SAR is complex, or you have received many requests from the data subject.
- Forward the request – Immediately forward the SAR to the right department to deal with.
Triage
Once a SAR is made, it needs to be immediately forwarded to the correct department. Our data protection solicitors can help organisations evaluate whether the request is valid or whether any statutory exemption applies. Should it be a valid request, as time is of the essence, we will help provide a strategy of next steps.
Strategy
We will help develop an effective strategy once we have identified the specifics of the SAR.
Strategy requires teamwork. Below are just a few of the questions we may ask, overall, these would be dependent on the SAR itself – once we have the answers, we will take care of the response whether it’s to provide the information or reject the request.
- Who sent the SAR? What’s their relationship with the organisation? Is it an employee or client?
- Are they who they say they are?
- What’s the backstory? Are there any personnel or client files we need to review?
- Why do you think this SAR has been prompted? Has there been any initial or previous complaints? Was the complaint well-founded? Is there an investigation record of the complaint?
- Any technical hurdles to think about? Will IT be able to conduct a search of words? How long will the discovery stage take? Do we need to ask the data subject for more time prior to the one-month time limit ending?
- Do you have the time and resources to deal with this? Do we need access to your systems?
Remember, to find the right strategy, you and your data protection solicitor must exchange information until you are able to respond to the SAR. We will do whatever possible to be able to establish a road map to a response, including search terms and redaction of confidential and personal data prior to the information being sent to the data subject.
The response to the data subject
Our next steps will be to assess whether a response is permitted in the first instance. If it’s not, we will assist in drafting an appropriate response for you. If the SAR is valid, then we will assess thoroughly all the information available, including whether anything needs redacting prior to confirming that the information is ready to be sent to the data subject. Our strategy will be bespoke and one that is tailored to your needs.
Some key points to consider
- Nominate a person responsible for dealing with SARs
- Educate your staff to recognise when a SAR is being made
- Deal with SARs promptly
- Implement measures to deal with these requests swiftly
- Move away from paper files and towards computer-based systems to allow for easy searches
- Draft a SAR procedure that staff can follow
- Consider when and whether exemptions apply (We can help you with this. Schedules 2 and 3 of the DPA 2018)
- Maintain SAR records for compliance
- If you are not a data protection expert, seek advice!
The ICO may take necessary enforcement action against a controller or processor if they fail to comply with data protection legislation.
If your business has received a subject access request and requires assistance, our expert data protection team are ready to help with pragmatic advice on SARs and any related GDPR matters. You may also like to see our article answering common questions: What is a subject access request?