One of the well known individuals’ rights in the GDPR is the right of access or “subject access requests” (or “SAR”s or DSAR (data subject access request)). This is the right which allows a data subject (i.e. the person who’s data an organisation is processing) to ask an organisation whether they are processing personal data about them and if so to request a copy. Under GDPR you get one month to deal with the request and you have to do it for free.
If you’re someone who has ever dealt with a subject access request, they’re a bit of a bind as they are allowed to be open requests for information, so someone can say “I’d like a copy of all the data you process that relates to me” and they can take considerable effort to collect together the information, let alone effectively verify the identity of the requestor (giving the wrong person someone else’s data is a data breach) and deal with the fact that in a lot of cases, subject access requests are often used by a disgruntled data subjects (angry customer or estranged employees).
In the UK, we’ve had SARs since the 1998 Data Protection Act, so they’re not new. With the advent of GDPR coming into force, there was an expectation, we’d see a ramp up in the number of requests given the awareness raising with individuals about new GDPR rules and the fact that they were now free (in most cases). I’m not sure this necessarily ended up being the case, although I know some organisations have had to deal with them for the first time since GDPR.
The problem with SARs
Large corporates might have the ability to offer easy to access systems which allow their data subjects access a central system and download their data themselves, but for most businesses this isn’t possible, so most have to rely on dealing with SARs manually. This poses some fundamental problems:
- You need to make sure you have internal awareness amongst your staff, so that when a SAR comes in, it is recognised and someone deals with it (remember it could come into any part of your business and you need to make sure it gets spotted and dealt with) – this may mean regular reminders, internal briefings, etc.
- They can be pretty labour intensive which means you will often need to make sure someone acts as a SAR project manager making sure that the data is being collected together, identification of the requestor verified, data supplied on time, third-party data redacted, etc. and that you have enough resource in place to deal with them, particularly if you get lots of SAR
- You will need to find all the information being requested and be mindful that (particularly if the data subject is unhappy) the data subject might have a good idea of what they’re expecting to receive, so if you miss something it’s likely to be noticed… plus, regardless of whether you want to disclose it, you will be expected to hand over everything, so that means you will need to make sure your staff understand the consequences of what notes they might keep, e.g. on a customer service portal – remember, if your staff are leaving derogatory notes on accounts when they deal with a customer, those notes are disclosable under SAR and the data subject will be ready to question what they think may be missing, if you miss out some information
- You need to effectively verify the identity of the requestor – as the recent “hack” attempt (widely covered in the media, e.g. here on the BBC and here on The Register) has shown you need pretty robust verification processes to make sure you’re not handing over data to the wrong subject. Whether they’re posing as your customer or claiming to act on their behalf, there are procedures that need to be followed to make sure you have the right permissions to hand over the data
- You get one month to respond to the request and that’s a proper month including weekends, public or personal holidays, so if your main SAR manager is away on a three week holiday, who’s dealing with and managing SAR in their absence? The ICO is very clear in its guidance about what constitutes a month: “You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month”
Solutions to these problems
To counteract the pain you may feel in dealing with SAR, here’s five tips to keep you on the right track:
- Educating your staff about the basics of data protection should be a key part of your general data compliance, not just about dealing with SAR, so you should already be rolling out regular training and refreshers to all staff, so make sure this includes the importance of spotting a SAR and what to do with one (i.e. pass to your responsible person). You can also include a section on dealing with SAR in your internal comms newsletter – in fact internal comms are a great way to keep data protection at the forefront of everyones minds and a piece specifically on SAR will help them remember the importance of your SAR process
- Have a subject access request policy in place which can act as your internal procedure for dealing with SAR setting out who is responsible for what part of the SAR process. Furthermore, your SAR policy can be a great tool for setting out the whole process – remember, you may not deal with them very often, so you need a defined process which can be followed and not rely on someone remembering what they’re supposed to be doing. Furthermore, such a policy will help you define procedures such as how you identify the requestor as being the data subject including what you consider acceptable (whether that’s someone ringing up and confirming a passcode with your customer services team, providing some documentary evidence it’s them, etc.)
- Make sure you appoint someone who takes responsibility for dealing-with or project-managing the SAR process. Ideally you’ll have someone internally who takes responsibility for data protection compliance anyway – this person should be co-ordinating the SAR process and making sure timescales are met, ID is verified, etc. And make sure you have a backup for this person – if they’re on holiday or off sick you’re SAR process isn’t paused and will still need dealing with. They’re also a useful individual to use as a point of contact for the data subject who can be assured their request is being taken care of
- You should have already mapped out your data and processing activities so you have a good idea of what data you have, where and on what systems. This is a requirement of the accountability principle as part of demonstrating you’re compliance. Use this to identify the sources of data you will need to supply – it should be easier then to know where to collect the data from. Yes, you may need colleagues to help you retrieve it, but part of the battle is identifying what data you have
- Sign up to the Digital Compliance Hub Helpline because we can help you with your processes as well as give you advice and guidance if you should get stuck with some of the trickier sides of dealing with subject access requests, such as dealing with third-party data redaction (e.g. on CCTV systems) or tricky questions from data subjects or which exemptions apply (e.g. for confidential references for job applications). Our Hub Helpline service comes with a specific SAR Assist service aimed at supporting you with your SARs
A final note of caution
Whatever you do, don’t ignore SAR. Just like Hudson Bay Finance Limited, you could find yourself on the wrong side of the ICO with enforcement notices and threats of criminal offences being committed, so don’t think the ICO will never find out…