A Subject Access Request (SAR) is a request made by an individual to a company, seeking access to their personal data held by that organisation. This right is enshrined in various data protection laws worldwide, including the UK’s Data Protection Act 2018 and the European Union’s General Data Protection Regulation (GDPR).
When an organisation receives a SAR, it is legally obligated to respond as soon as reasonably possible and no later than one month. Failing to meet this deadline is a breach of data protection law, potentially resulting in complaints to regulatory bodies such as the Information Commissioner’s Office (ICO) in the UK. While extensions are possible under specific circumstances, these are exceptions rather than the rule.
Non-compliance with data protection laws can lead to severe consequences, including financial penalties. Therefore, companies should prioritise timely and accurate responses to SARs.
One of the primary challenges in handling SARs is recognising them when they arrive. SARs don’t always come labelled as such, making it crucial for employees to be trained in identifying these requests and understanding the internal procedures for processing them.
Many organisations streamline this process by establishing a dedicated email address for receiving SARs, thereby centralising and managing incoming requests more effectively.
While larger companies often have established SAR handling processes, smaller and medium-sized enterprises which have not established a process for handling SARs, may find themselves unprepared. Developing a robust process is essential for compliance with data protection regulations.
The first step in handling a SAR is understanding the scope of the request. This may involve clarifying the specific information sought and the relevant timeframe with the requester. However, it’s important to note that while clarification can be requested, the individual is not obligated to narrow the scope of their request.
Proper identity verification is another crucial step. Organisations must ensure that the person making the request is indeed who they claim to be. The statutory time limit for responding is paused during this verification and clarification stage process and resumes once identity and additional information is confirmed.
Once the relevant information is gathered, a thorough review process is necessary. This can be broken down into three key stages:
The information requested in a SAR could be stored in various locations. Common sources include email communications, records from virtual workplace platforms (like Microsoft Teams), and internal databases. Identifying the appropriate tools and search terms is crucial for conducting a comprehensive search.
After gathering and reviewing the relevant information, organisations must consider how best to supply it to the requester in a secure manner. For digital transfers, using password-protected documents with separately communicated passwords, preferably via a different communications channel is advisable. For physical mail, using secure courier services or splitting large volumes of data into multiple packages can enhance security and minimise potential loss.
There has been a notable increase in the number of SARs filed in recent years, largely due to the growing awareness of data protection rights. This trend underscores the importance for companies to have robust SAR handling processes in place.
For organisations without established SAR handling procedures, managing these requests can be challenging. While the guidance provided in this article offers a solid starting point, consulting with data protection lawyers can provide valuable additional support. These experts can offer advisory services or even manage the entire SAR handling process on behalf of the organisation.
In conclusion, effectively managing Subject Access Requests is not just a legal obligation but also a demonstration of a company’s commitment to data protection and individual privacy rights. By understanding the process and implementing robust procedures, organisations can navigate the complexities of SARs with confidence and compliance.
Contact us for advice and support on this or any other aspects of corporate law.
Clara is Head of Privacy at Arbor Law and was called to the Bar at Lincoln’s Inn. Clara spent time working at the Court of Justice of the European Union before becoming a commercial lawyer, specialising in data protection for more than 20 years. During this time, she advised businesses on European and English Data Protection law helping them to navigate this complex area of law in an accessible and commercial way, enabling them to achieve their business objectives in compliance with data protection law.