How To Respond To A Subject Access Request (SAR)

If there is one thing that we in the I.T. industry love, it’s TLAs (Three Letter Acronyms), so let us throw one at you – SAR.

Search And Rescue?

Sarah’s Aunt Rachel?

Sausages Are Righteous?

None of those we regret, although we are fully in agreement with the last one; it is actually Subject Access Request, and under the GDPR you are going to hear a lot more about these so it is wise to start preparing now.

What is a Subject Access Request (SAR)?

The right to see and reclaim personal data held on you is enshrined in the current Data Protection Act (DPA) and those rights will be enhanced under the General Data Protection Regulation (GDPR) from May 2018.  

As the general population becomes more ‘data aware’ it is possible that companies and organisations will see a steady increase in subject access requests (SAR) and they would be well advised to consider the implications of this as part of their general GDPR preparations.

There is no set format for a subject access request, and advising companies on handling subject access requests can be complicated because of the many considerations that apply both to the person making the request and the organisation attempting to fulfil the request.

In this article, we will address the steps business owners and directors should follow to ensure their company’s GDPR compliance when responding to a SAR.

Is this a new right under the GDPR?

No, it isn’t.  

Under the Data Protection Act, individuals already have the right to see data held about them.  

These rights are as follow:

This right, commonly referred to as subject access, is created by section 7 of the Data Protection Act. It is most often used by individuals who want to see a copy of the information an organisation holds about them.

However, the right of access goes further than this, and an individual who makes a written request and pays a fee is entitled to be:

    • told whether any personal data is being processed;
    • given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
    • given a copy of the information comprising the data; and given details of the source of the data (where this is available).
    • An individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit, or an assessment of performance at work (except where this information is a trade secret).
      • In most cases you must respond to a subject access request promptly and in any event within 40 calendar days of receiving it.
      • However, some types of personal data are exempt from the right of subject access and so cannot be obtained by making a subject access request.

Under the GDPR you will see the following changes to these existing rights:

    • confirmation that their data is being processed;
    • access to their personal data; and
    • other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.
    • In most cases you will not be able to charge for complying with a request.
    • You will have a month to comply, rather than the current 40 days.
    • You can refuse or charge for requests that are manifestly unfounded or excessive.  
      • If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to seek a judicial remedy.
    • You must do this without undue delay and at the latest, within one month.
    • If your organisation handles a large number of access requests, consider the logistical implications of having to deal with requests more quickly.
      • You could consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily and securely online.

Will this create more work than the current legislation?

For some organisations, it could, depending upon how well informed individuals are about their rights to get access to personal information and the nature of the company itself. 

For organisations which handle and process large volumes of personal data consideration should be given to whether or not a “self-service” system, possibly web-based, is feasible or appropriate.  

Any such system will need to be demonstrably secure in order to avoid any data breaches.

Furthermore, your obligation to respond is not entirely straightforward depending upon the nature of personal data you hold.  

At its simplest it may require you to provide a modest amount of information electronically (email for instance) along with a reiteration of your privacy notice.  

Dealing with such simple SARs, where little data is held about an individual, shouldn’t tax most companies.

Where an organisation holds a considerable amount of data about individuals or find themselves subject to high volumes of requests, things can become more complicated.

Does the GDPR benefit requesters at the expense of companies?

As an organisation you are obliged to respond to a SAR, however you do have some rights with regards to the nature of your response.  

Where a large amount of data is held on the individual submitting the access request you are entitled to clarify exactly what the requester is seeking if you believe such clarification necessary.  

An employer for instance may hold many years worth of data about an employee, and while the employee is entitled to submit an access request, if the request is not sufficiently specific, the data holder is entitled to request further details from the requester to better identify the data required.  

In such a case the one month obligation on the organisation to comply does not commence until both parties have agreed the scope of the request.

You are also entitled to charge for numerous or unfounded requests or, should the circumstances warrant it, you can refuse to respond.  

In either event you must inform the requester of the reasons for your response (or lack thereof) and inform them of their rights to seek redress from the supervisory authority or even through the courts.

There are areas where specific exemptions from the requirements of the GDPR exist in respect of SARs; this is beyond the scope of the current article and we would advise you to speak to us should you wish to discuss this and any other GDPR-related matters.

Your current rate of access requests under the DPA is probably a reasonable indicator of what you can expect under the GDPR in the short term.  

However as we all become more aware of, and sensitive to, the use of data about us, you may well see the number of access requests increase, both in volume and complexity.  

You are legally required to respond to all such requests in a manner that ensures continuing GDPR compliance; even if access requests are something you see rarely at present it would be advisable to consider the possible longer-term implications.

For further information or to discuss this and other GDPR related issues, please contact us.