How to handle a Subject Access Request
Under the General Data Protection Regulation (GDPR) data subjects have greater rights when it comes to accessing information held about them. While subject access requests (SAR) are not new, the GDPR has enchanced the right to a SAR. Data subjects now have the right to receive a like for like response (e.g. electronically), to only be charged a fee in exceptional circumstances and to receive a response within one month rather than 40 days.
It’s important that organisations know how to recognise subject access requests and what to do with them because the implications of getting it wrong could be serious. The Data Protection Commissioner (DPC) can impose fines, but the reputational damage caused by regulatory censure should be motivation enough to get it right.
Recognise a request
It may seem obvious, but organisations need to train staff to recognise a SAR. What’s not so obvious is that requests can come through many channels (e.g. through HR from an employee, or through sales staff from a customer), and the chances of a data subject using the term ‘Subject Access Request’ is unlikely, so training one or two staff members is not sufficient. All employees need to be able to recognise and facilitate a SAR and those who appear to frustrate a request even through a genuine lack of knowledge, may lead the organisation straight onto the DPC’s radar.
Clarify a request
Organisations are entitled to request a SAR in writing. They can provide data subjects with a specific form but if the information is otherwise provided, albeit in another format, then it should be accepted. Equally, data controllers are entitled to ask data subjects to narrow down their request e.g. by date or time range, department, information type etc although data subjects do not have to comply. Attempting to narrow down a request and adhering closely to carefully considered retention times will dramatically cut down the workload involved in completing a SAR.
Organisations are expected to make sure they know who they are dealing with. Fundamental to GDPR is protecting data and before revealing personal information it’s essential that requestors are appropriately identified.
Use Data Controller rights sparingly
Organisations have the right to charge a fee or refuse a SAR, but these tools should only be used in exceptional circumstances, if a request is deemed to be unfounded or excessive. Whatever the outcome, the data subject must be kept informed of the decision and an internal note of the justification of any refusal or fee should be made.
What information should be included
In responding to a SAR, organisations should supply all of the personal data held about a data subject Take note of the difference between information about a data subject and a simple record containing their name. Examples of personal data to be included would be emails about the data subject, forms they completed, statements, payslips, letters etc. Never try to hide, destroy or hold back data even if it includes subjective information. However, if releasing information means that data relating to a third party will also revealed then either request third party permission or redact.
Build a procedure
Organisations should have a SAR policy and procedure. The regulations specify a response time of one month but this should be used as a deadline rather than a target and ideally organisations should aim to create a procedure that turns requests around in a matter of days.
Ultimately organisations need to accept testing the SAR process, may raise a need for system or data management changes and these changes should be welcomed. For those who follow it wisely, the GDPR represents an enormous opportunity to work smarter.