Under GDPR guidance, individuals are entitled to access their personal data stored by an organisation. These requests are known as Subject Access Requests (SAR) or Data Subject Access Requests (DSAR).
Many businesses and organisations will have customer information and data stored. Whether contact information, CCTV footage, location data or app profiles − an individual has the right to access anything you have stored that contains information about them.
It can be challenging and time-consuming for companies to respond to SARs, but they must comply with GDPR.
What is a Subject Access Request?
A Subject Access Request (SAR) is a request made by an individual to access personal information an organisation may hold about them. It also includes information about how the data is used (processed) or stored. The individual has a right to know what the information is and how you use it, and you are required to provide them with all information as stated under article 15 of GDPR.
The request may include the following:
- what data and information is your organisation holding and using
- where the data came from and how it was collected
- who the data will be shared with
- why it’s being processed
- how long will the data be kept
Citizen’s Information has further information on what individuals can access.
Why it’s important to get a SAR right
Dealing with a SAR can be complicated, time-consuming and costly.
Due to legal time limits determining when you need to respond, you’re also under pressure to quickly and thoroughly search for all examples of an individual’s personal data and information as per their request.
This can include data held over various platforms and record-keeping systems, including within email correspondence and paper-based records such as medical, employee or application forms.
This process can be costly in terms of money, time, or any resources needed to ensure your organisation’s response to the subject access request is in line with GDPR requirements.
If the individual is unhappy with the response, they can complain to the Data Protection Commissioner.
They may complain if your organisation takes too long to respond, if they’re not satisfied with what you’ve given them or if you refuse to respond.
Failure to comply may result in a fine.
Time limits when dealing with a SAR
An organisation has one month from the date of the request to respond.
In situations where the request is complex, the organisation can extend the response by another two months but must let the individual know about the extension and why within the first month of receiving their request.
It pays to ensure that your data is secure and accessible to the business and data management is robust.
To ensure that employee and customer data is stored securely in the first place, achieving ISO 27001 certification can help improve your information security management system (ISMS).
An ISMS allows your organisation to manage security risks and comply with relevant legislation, such as GDPR.
How to deal with a Subject Access Request
With the correct procedures and systems in place, responding to a SAR can be fairly straightforward.
Here’s how to respond to a SAR.
1. Appoint a data protection lead
Ensure there is an appointed person to act as the data protection lead and who is responsible for organising and collating data and responding to the applicant. This helps keep the process streamlined and makes it easier to keep track of a SAR’s progress with one person dealing with the request.
2. Recognise and confirm receipt of the request
Under GDPR, there is no set method for making a subject access request. A SAR can even be made by simply sending a Tweet to an organisation.
It may be verbal or written, but the organisation needs to recognise that the individual is making a request.
Once it is identified, confirm to the individual that you have seen their request and will start processing it.
3. Check the applicant’s identity
Check the identity of the individual sending the SAR, and don’t leave it to the last minute.
Ask for formal ID when necessary, or ask questions only they can answer, such as reference numbers or appointment details.
4. Check the validity of the request
If someone makes a subject access request on behalf of someone else, ensure they have permission from the individual to do so.
Children over 12 years old can make their own SAR, but if their parent or guardian makes a request on their behalf, you must get permission from the child first.
5. Check what information they want
Ensure you understand what information and data the individual wants. This can mean asking the individual to provide more information to help you search for the required data.
This clarification may help you save time by focusing on the exact data they’re requesting. The individual is not obligated to explain why they are making the SAR, but they can help narrow down and filter out what they need.
If they refuse to clarify, you will still need to comply with their original request and fulfil it.
6. Search for the information
Your organisation is expected to conduct adequate searches of digital and hard copies of documents to find the individual’s data, and this includes archived files and paper-based records.
This search may include looking through emails, CCTV footage, external hard drives and audio files.
Keep searching until you feel you’ve exhausted all files and areas that may hold any information.
7. Check the information and redact as needed
Before handing over the individual’s data, check everything thoroughly to ensure you’re not giving them someone else’s information.
For example, if other people are mentioned in documents, such as within email correspondence, redact or black out names or information that doesn’t relate to the individual making the request.
You can also copy and paste relevant information into a new document to avoid disclosing other people’s data.
8. Send the response securely
Once you’re happy with the data you’ve collected, being sure it doesn’t disclose more than is requested, send it to the individual as securely as possible.
Check with them regarding how they want the information and in what format, especially if the data is sensitive.
9. Keep records of everything
Always keep a record of the following:
- the initial request
- the documents sent
- the source of information
- any decisions or exemptions made
- proof of response
Keeping a trail of all the correspondence will help show your compliance. It can also be helpful if the individual is unhappy with the response and decides to complain to the Data Protection Commissioner.
Unsure of what GDPR means for your organisation? Read our guide on how to demonstrate GDPR compliance to help ensure your organisation is compliant.