Cast your mind back to 2018. The idea of being locked inside your house for months on end would’ve seemed like a pipedream, masks were reserved for Halloween and GDPR was introduced, alongside Article 15 (everyone’s favourite application about Subject Access Requests).
Ever since then many organisations have battled to get a robust process in place. To add fuel to an already raging fire, once the Coronavirus pandemic smashed into 2020, things would get a lot worse. Organisations who previously already struggled to process SARs, have faced extensive internal disruption hindering an already high pressure process. There’s no doubt about it, SARs come with a list of compliance issues which can (and often do) threaten to overwhelm.
Have no fear! We have put together some practical tips for you, lucky thing, to plant you firmly on the right track when it comes to all things SARs. The following is a list of what we believe to be the most important things to consider when processing Subject Access Requests.
SARs like to keep you on your toes. They can come to you in any shape or form, there is no standardisation for submission. This can make identifying them potentially troublesome. Time is of the essence once one is submitted (more on this later) making it crucial that all staff understand what makes up a SAR, and what to do if they receive one. We would strongly advise the inclusion of pre-emptive SAR identification in your basic data protection training.
Know Your Time Frames
The GDPR is very specific when it comes to responding to SARs. Article 12 states;
“The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request.”.
As soon as that request lands in your inbox, at your reception desk or washes up in a glass bottle on the nearest beach, the time starts ticking. The best way to keep track of everything is to implement a structure which records requests as they come in, that can be updated as it progresses. There are certain circumstances when the time frame can be extended from one to three months, but the data subject must be informed.
Data vs. Documents
This is key to knowing what to release, or what to redact/remove. We see many organisations releasing reams of documents that are not always necessary. Remember, the Right of Access, is the right to obtain ‘personal data’, not entire reports, documents etc. It is important to familiarise yourself with the definition of ‘personal data’; so important in fact that we’ve put the full, legal GDPR (under Article 4 (1) definition in the footnotes just for you! Fully understanding what constitutes personal data is paramount in ensuring compliance. Each SAR is different; what is appropriate for one may not be for another. Context is everything, and remember, you can always release data at a late date, but you cannot take it back.
SAR Redaction Policy
Consistency is one of the hardest things to establish and maintain when responding to numerous SARs. Should you require multiple members of staff working on documents, all equipped with their personal interpretation of the law and differing approaches to redactions, maintaining consistency can feel like an insurmountable challenge. To quote Donald Berwick, “we must accept human error as inevitable and design around that fact”. In short, the best way to ensure a consistent approach to redaction is to pre-empt mistakes by employing a robust policy with clear outlined procedures. This will provide a baseline standard for all employees, communicating your expectancy, as a Data Controller, to your redaction staff.
Consider including a table detailing which personal data should always be redacted, or perhaps specific identifiers that are common within your organisation. Allowing redaction staff to contribute towards this will make a comprehensive working document that adds value to the process, solidifying best practice.
GDPR is fanatical about Accountability, so you should be too! One of the main principles of GDPR is indeed ‘Accountability’, which requires that Controllers demonstrate their compliance. One of the best ways to demonstrate compliance is by accurately recording Individual Rights Requests (a key component of GDPR). The good news is that this can be achieved with relative ease, and creates a good management tool to track volume of requests received, as well as SAR progress/status of requests.
We’d recommend creating, and maintaining, a spreadsheet (or similar), to detail;
- When requests are received
- The Status of each request
- Whether any exemptions have been applied for
- Time taken to complete request
If you implement a comprehensive structure which enables you and your team to maintain compliance, you shouldn’t go too far wrong!
Far from an exhaustive list of things to consider when processing SARs, we hope this guide has provided some basic check points to help you get started! We have many resources available to help you as well, including an article with our top tips for SARs.
If you need any more advice, or should you encounter a particularly complex or time-consuming SAR which requires outsourced assistance, feel free to contact us at 0203 3013384, or email us at firstname.lastname@example.org, for a no-obligation chat to see if we can lighten the load for you!