TOP TIPS FROM OUR EXPERTS – SUBJECT ACCESS REQUESTS

This guide will give you a better understanding of data subject access requests and the potential compliance issues that come with them. If you have a question that isn’t answered below, please get in touch.

For further information about our SAR redaction and SAR assurance services, click here.

Since the introduction of GDPR, and therefore the application of Article 15 (that’s the one about Subject Access Requests) many organisations have battled to get a robust process in place. Subject Access Requests, or SARs as we call them, come with a list of compliance issues, and sometimes it can feel a little overwhelming. We have put together some practical tips for you to help ensure you are on the right track.

There are lots of things to consider, and this list is certainly not exhaustive, but provides some basic checkpoints. Ultimately, Subject Access Requests do not need to be a burdensome exercise. However, this is dependent on the resources, preparation and understanding. It is crucial that organisations recognise the value of investing in compliance.

SARs can be submitted in any shape or form, which can mean that identifying them can sometimes be troublesome. Ensuring that all staff understand what makes up a SAR, and what to do if they receive one, means that you are off to a good start. This stops you from using up valuable time to complete the request. Consider including SAR identification in your basic data protection training to ensure everyone is prepared for the possibility they could receive a request.

The GDPR is very specific when it comes to responding to SARs.

Article 12 states: “The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request.”

So, as soon as that request lands in your inbox – or maybe on a reception desk – the time starts ticking. Having a structured way to record requests as they come in, and the progress, means you can best keep track of this. There are certain circumstances when this timeframe can be changed to three months, but you must inform the data subject of this.

You may have also heard people talk about the ePrivacy Directive or the EU Cookie Law. This Directive relates to individuals that reside within the EU and is designed to protect online privacy. It is important that if you track cookies of UK and EU residents, you adhere to both pieces of legislation.

This is key to knowing what to release, or what to redact/remove. We see many organisations releasing reams of documents that are not always necessary. Remember, the Right of Access is the right to obtain ‘personal data’ , not entire reports, documents etc. Make sure you really familiarise yourself with the definition of personal data. You can find the legal definition, as per GDPR, under Article 4 (1). Fully understanding what constitutes personal data is paramount in ensuring compliance, as each SAR is different, and what is appropriate for one may not be for another.

Context is extremely important, and remember, you can always release data at a late date, but you cannot take it back.

One of the hardest things to establish when responding to numerous SARs, is consistency. If you have multiple staff members working on documents, it can be difficult to ensure you have a consistent approach to redaction. Personal interpretation of the law can lead to differing approaches to redactions, especially where contextual data is concerned. Employing a robust policy, and a clear outlined procedure allows you to provide some baseline standards, which will therefore communicate your expectancy, as a Data Controller, to your redaction staff. Consider including a table which details personal data which should always be redacted, or perhaps specific identifiers that are common within your organisation. Allowing redaction staff to contribute towards this will make a good working document that adds value to the process.

One of the main principles of GDPR is “Accountability”, which asks that Controllers demonstrate their compliance. Individual Rights Requests are a key component of GDPR, and so should be being recorded accurately, therefore helping your organisation in demonstrating compliance. This can be achieved relatively easily and creates a good management tool to track SAR progress, oversight of the volume of requests you receive, and time frames you are keeping.

Think about keeping a spreadsheet (or similar), upon which you could detail when the requests are received, the status of the request, whether you have applied any exemptions, and the time taken to complete the request.

  • Educate your staff (purchase training where necessary)
  • Know your timeframes
  • Have the correct policies and procedures in place
  • Check the scope of the request
  • If you do not know, get external support

If you have any other questions or concerns, get in touch with us. We can support you when dealing with complex subject access requests. We can also train your staff.