How to handle a subject access request (SAR)

Under GDPR guidance, individuals are entitled to access their personal data stored by an organisation. These requests are known as Subject Access Requests (SAR) or Data Subject Access Requests (DSAR).

Many businesses and organisations will have customer information and data stored. Whether contact information, CCTV footage, location data or app profiles − an individual has the right to access anything you have stored that contains information about them.

It can be challenging and time-consuming for companies to respond to SARs, but they must comply with GDPR.

What is a Subject Access Request?

A Subject Access Request (SAR) is a request made by an individual to access personal information an organisation may hold about them. It also includes information about how the data is used (processed) or stored. The individual has a right to know what the information is and how you use it, and you are required to provide them with all information as stated under article 15 of GDPR.

The request may include the following:

  • what data and information is your organisation holding and using
  • where the data came from and how it was collected
  • who the data will be shared with
  • why it’s being processed
  • how long will the data be kept

Citizen’s Information has further information on what individuals can access.

How to deal with a Subject Access Request

Why it’s important to get a SAR right

Dealing with a SAR can be complicated, time-consuming and costly.

Due to legal time limits determining when you need to respond, you’re also under pressure to quickly and thoroughly search for all examples of an individual’s personal data and information as per their request.

This can include data held over various platforms and record-keeping systems, including within email correspondence and paper-based records such as medical, employee or application forms.

This process can be costly in terms of money, time, or any resources needed to ensure your organisation’s response to the subject access request is in line with GDPR requirements.

If the individual is unhappy with the response, they can complain to the Data Protection Commissioner.

They may complain if your organisation takes too long to respond, if they’re not satisfied with what you’ve given them or if you refuse to respond.

Failure to comply may result in a fine.

Time limits when dealing with a SAR

An organisation has one month from the date of the request to respond.

In situations where the request is complex, the organisation can extend the response by another two months but must let the individual know about the extension and why within the first month of receiving their request.

It pays to ensure that your data is secure and accessible to the business and data management is robust.

To ensure that employee and customer data is stored securely in the first place, achieving ISO 27001 certification can help improve your information security management system (ISMS).

An ISMS allows your organisation to manage security risks and comply with relevant legislation, such as GDPR.

Subject Access Request GDPR

How to deal with a Subject Access Request

With the correct procedures and systems in place, responding to a SAR can be fairly straightforward.

Here’s how to respond to a SAR.

1. Appoint a data protection lead

Ensure there is an appointed person to act as the data protection lead and who is responsible for organising and collating data and responding to the applicant. This helps keep the process streamlined and makes it easier to keep track of a SAR’s progress with one person dealing with the request.

2. Recognise and confirm receipt of the request

Under GDPR, there is no set method for making a subject access request. A SAR can even be made by simply sending a Tweet to an organisation.

It may be verbal or written, but the organisation needs to recognise that the individual is making a request.

Once it is identified, confirm to the individual that you have seen their request and will start processing it.

3. Check the applicant’s identity

Check the identity of the individual sending the SAR, and don’t leave it to the last minute.

Ask for formal ID when necessary, or ask questions only they can answer, such as reference numbers or appointment details.

4. Check the validity of the request

If someone makes a subject access request on behalf of someone else, ensure they have permission from the individual to do so.

Children over 12 years old can make their own SAR, but if their parent or guardian makes a request on their behalf, you must get permission from the child first.

5. Check what information they want

Ensure you understand what information and data the individual wants. This can mean asking the individual to provide more information to help you search for the required data.

This clarification may help you save time by focusing on the exact data they’re requesting. The individual is not obligated to explain why they are making the SAR, but they can help narrow down and filter out what they need.

If they refuse to clarify, you will still need to comply with their original request and fulfil it.

6. Search for the information

Your organisation is expected to conduct adequate searches of digital and hard copies of documents to find the individual’s data, and this includes archived files and paper-based records.

This search may include looking through emails, CCTV footage, external hard drives and audio files.

Keep searching until you feel you’ve exhausted all files and areas that may hold any information.

7. Check the information and redact as needed

Before handing over the individual’s data, check everything thoroughly to ensure you’re not giving them someone else’s information.

For example, if other people are mentioned in documents, such as within email correspondence, redact or black out names or information that doesn’t relate to the individual making the request.

You can also copy and paste relevant information into a new document to avoid disclosing other people’s data.

8. Send the response securely

Once you’re happy with the data you’ve collected, being sure it doesn’t disclose more than is requested, send it to the individual as securely as possible.

Check with them regarding how they want the information and in what format, especially if the data is sensitive.

9. Keep records of everything

Always keep a record of the following:

  • the initial request
  • the documents sent
  • the source of information
  • any decisions or exemptions made
  • proof of response

Keeping a trail of all the correspondence will help show your compliance. It can also be helpful if the individual is unhappy with the response and decides to complain to the Data Protection Commissioner.

Unsure of what GDPR means for your organisation? Read our guide on how to demonstrate GDPR compliance to help ensure your organisation is compliant.

Get a Quote

Subject Access Request guide - main image
Holly Fitzpatrick
Holly Fitzpatrick

Social
Share

Related ISO Certifications

ISO 9001

Quality Management System

Quality Management System ISO 9001 is an internationally recognised global standard that confirms an organisation’s commitment to improving quality, …
iso 14001

Environmental Management System

ISO 14001 Environmental Management System ISO 14001 is the global standard for organisations wanting to demonstrate their environmental credentials. …
iso 45001

Occupational Health and Safety

Occupational Health and Safety ISO 45001 is an international standard that specifies requirements for an occupational health and safety …
iso 50001

Energy Management System

Energy Management Systems ISO 50001 is a global standard for organisations looking to improve their energy management …
iso 27001

Information Security Management Systems

Information Security Management Systems ISO 27001 is the international standard for managing risks related to the security …
iso 22301

Business Continuity Management Systems

Business Continuity Management Systems ISO 22301 is the business continuity management system (BCMS) standard. It provides a framework that …
iso 20000-1

IT Service Management Systems

IT Service Management Systems ISO 20000-1 Service Management is the international standard for quality management specifically focused on IT …
iso 13485

Medical Devices

Medical Devices ISO 13485 is a globally recognised quality standard that identifies the requirements of a quality management system …
iso 27701

Privacy Information Management Systems

Privacy Information Management Systems ISO 27701 is the global standard for Privacy Information Management Systems (PIMS), also known as …
ISO Certificate Transfer

ISO Standard Certification Transfer

ISO Certification Transfers Transfer your ISO Certification to Certification Europe Get in touch ISO Certification​ Transfer If you are …
bs 10012

Personal Information Management System

Personal Information Management System BS 10012 provides a framework for a Personal Information Management System standard, helping you maintain …
iso 27018

Protection of Personally Identifiable Information (PII)

Protection of Personally Identifiable Information (PII) ISO 27018 is the global standard organisations use to implement and manage systems …
iso 27017

Cloud Data Protection

Cloud Data Protection ISO 27017 is the global standard used by organisations to strengthen their current cloud data protection …
Previous
Next

Related Insights

How to measure and start ESG reporting

Learn with our guide to measuring and reporting ESG activity within your organisation. …

How to create a positive health and safety workplace culture

Does your business have a positive health and safety workplace culture? Here’s how to create a positive…
Previous
Next