- Data Strategy,
– 17 Jan, 2018
Subject Access Requests: 10 Tips
If your organisation fails to respond to an Subject Access Request (SAR) in a time mannered fashion, as indicated within the GDPR, you can be fined by the ICO for failure to comply.
So it is in your organisations interests to spend the time, if you have not done so already, to develop a procedure and documented process to deal with such requests.
What is an SAR?
An SAR (also known as a Subject Access Request) is a written request made by or on behalf of an individual for the information which he or she is entitled to ask for under Article 15 of the GDPR and section 7 of the current Data Protection Act 1998. The ICO provides a template for individuals to use.
Ten tips for handling an SAR
- You need to be prepared. Put a team a with processes, procedures and systems in place that can be fully audited by the ICO if ever necessary. Ensure you know of all the systems and locations where personal data is stored within your organisation
- Ensure you have all the right documents. The documents will consist of the SAR from the data subject (which can be delivered in writing or by electronic means) and any documents accessed internally to respond to the SAR. Under the current Data Protection Act 1998 there is a nominal administration fee of £10.00 (this is not a compulsory fee). However, under the GDPR this fee has been removed. You must, for data auditing purposes, keep a full auditable trail of the processes you have used and the systems you have accesses in relation to the SAR. The 40-day deadline only starts once you have all this. The ICO provides an interactive checklist that you might find useful
- You should consider requesting additional information from the data subject if necessary. You are not able to make demands on the data subject in order to narrow the scope of their subject access request, but you do not have to comply with the SAR until you have received all the information that you reasonably require in order to respond and locate the information sought for the SAR.
- Do not sit on the SAR. You should not underestimate the time it could take you to provide an adequate response to the SAR. Depending on your current processes and policies together with the systems where the data is contained (including paper based systems such as archive documents and filing) this process could be arduous.
- You need to be aware of possible cross-border issues. If SAR information is held in another country, you will need to consider whether it is in breach of local laws to treat data stored in that location.
- Data subjects are only entitled to their personal data. You cannot provide information to the data subject that contains another data subject’s information as this would be considered a data breach by the ICO. An example of this is where an email may contain relevant information for the data subject’s SAR but also containing sensitive information concerning another data subject. It is possible to redact such information. It is advisable however to ensure you have a process for ensuring that this sort of incident is fully documented and auditable.
- When dealing with SAR you need to give consideration to whether any exemptions are in force. It is possible for personal data to be exempt from disclosure. As example is if the information is legally privileged or is related in any way to criminality.
- You need to consider how you will be sending the data output from the SAR to the data subject (unless the data subject has requested the data in a specific format). Remember the data subject is fully entitled to all of the information they have requested. They are not however entitled to the document that contains that personal data. This is a good thing for your organisation. It allows you to consider how best to provide the information to the data subject. Is this via redacted documents, a spreadsheet or an email that contains all the personal data in a single place?
- When preparing and drafting your response take time and care. As I said earlier you need to keep meticulous records and a detailed audit trail of the complete journey you have taken to obtain the information required by the data subject. This will aid in the drafting process later and make your response to the data subject direct and unambiguous. A detailed and comprehensive disclosure will leave little room for criticism or further action from the data subject.
Paul Gillingwater MBA, CISSP, CISM, RHCE
Managing Principal GDPR, ISO27001, PCI/DSS, GRC, DPA18 Paul is a Managing Principal Consultant and registered DPO at Chaucer who has worked for more than 30 years as a cyber security and risk specialist and advisor to businesses, government and non-profits with their governance, regulatory and compliance requirements. Over the past five years he has focused on UK & EU data protection and is a passionate advocate of online privacy rights education.