8 Key Action Points for Managing A Subject Access Request
If this past year since has taught us anything, it’s that there is no avoiding a Subject Access Request (SAR) for businesses.
Prior to the GDPR, SARs weren’t something too many businesses had to worry about. The deterrence of a fee, regardless of how small it was, didn't encourage too many data subjects exercising their right of access to their personal data. With the prohibition against charging for SARs, it is now encouraging maliciously motivated requests from data subjects. The harsh reality is the general public is now more aware of their rights as data subjects. The widespread campaign on the run-up to the GDPR made it near-impossible for individuals to avoid hearing about it.
One year later, the ICO have estimated they have dealt with over 15,800 SAR complaints. In comparison to the year before the GDPR, they dealt with approximately 8,000 SAR complaints from the public. This is a drastic increase of 93% SAR complaints in one year.
If your business has had the misfortune of having to handle a SAR, I feel your pain. It is by no means an easy task. There is no doubt that SARs are a headache, costly and a time-consuming task.
If your business has been lucky to escape any SARs so far, don’t be fooled that you won’t be landed with one at some stage. It is best to be prepared to know how to tackle a SAR promptly to ensure you don't miss the one calendar month deadline and to avoid a late penalty or enforcement action from the ICO.
From our experience in assisting business from a wide range of sectors, from small business to multi-national companies, we have devised 8 key action points for managing SARs.
1. Have a Plan.
There will undoubtedly be several questions going around in your head when faced with a SAR. Who deals with this? What data do I need to disclose? Do we have to respond? How long do I have?
Failure to have a plan in place on how to deal with SARs will lead to confusion and undoubtedly result in the SAR being handled inappropriately.
2. Make sure to Recognise a SAR.
Firstly, you will need to recognise if this is this a SAR.
To recognise a SAR, it is vital that ALL staff are appropriately trained - as we have seen, SARs can land on the desk of any employee.
SARs can come in a range of different formats and they will unlikely say “I am making a Subject Access Request for all my personal data”. It would be great if they did! But in reality, they are very ambiguous requests, made via a telephone conversation with a customer services representative; an email sent to an info email address; or even through social media platforms.
What you also need to watch out for are requests made by third parties. The GDPR does not prevent an individual from making a SAR via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual wants someone else to act for them. In these cases, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
3. Respond on Time!
Don’t just ignore the request, or let it sit in your inbox hoping it will go away or the requestor will have forgotten about. Responding within the one-month calendar deadline can be a task in itself, but don’t be fooled that the ICO will accept the excuse that you simply forgot about the SAR. You can apply for an extension of time by a further two months if the request is complex or you have received a number of requests from the individual.
4. Personal data is personal.
Be sure to check the identity of the requestor before handling the SAR. An individual is entitled only to their own personal data, and not to information relating to other people (unless they are acting on behalf of that person). Before you can respond to a subject access request, you need to be able to decide whether the information you hold is personal data and, if so, whose personal data it is. You may need to redact data concerning other data subjects.
5. Use your Retention Policy to your advantage.
Not only is your retention policy a key requirement under the GDPR principles, but having a workable retention policy in place can save your business a lot of time when dealing with a SAR. If you have to trawl back through 10 years plus of emails when dealing with a disgruntled employee’s request, you can be guaranteed you will be faced with a mammoth task.
6. Check if you can get out of disclosing any data.
Have you checked if any exemptions apply? Exemptions could potentially save you from disclosing matters which you would otherwise not want the individual to see. There are a number of exemptions which may apply- so don’t be afraid to seek advice before handing over everything!
7. No Fee Payable
There is no longer a fee attributed to a SAR. However, you may be able to charge a reasonable fee if you believe the request is unfounded or excessive, or if an individual requests further copies of their data following an initial SAR.
8. Don’t forget!
Lastly, don't forget that interview notes, appraisals, comments shared in internal emails, phone recordings and CCTV are all part of an individual’s SAR.
One thing is clear: the ICO is not afraid of taking action against businesses who fail to respond to a SAR in an appropriate and timely manner. We have seen the ICO serve businesses with enforcement notices for failing to respond to a SAR within the time frame, and prosecute individuals within a business for failing to adhere to the enforcement notice. Whilst we have seen these types of enforcements pre-GDPR, businesses should be warned that under the GDPR the ICO is proving to be much stricter and is taking a ‘no prisoners’ approach where data protection is concerned. We only have to look at the recent Notices of Intention to Fine, served by the ICO on British Airways (£183 million) and on the Marriot Group Hotel (£99 million).
The key actions are to make sure you have ALL staff trained, have a plan in place to handle a SAR and seek advice where necessary.
If you need expert help with managing a Subject Access Request, please get in touch with us on email@example.com