Subject access requests (SARs) can be made at any time, in any way, and to anyone in your organisation. With a maximum of 3 months to comply and issue all paper and digital correspondence which concerns the individual’s data, are you confident your organisation is compliant?
In September 2022, the Information Commissioner’s Office (ICO) issued reprimands against seven organisations, including the Ministry of Defence and Virgin Media, who failed to meet their data protection obligations concerning subject access requests (SARs) by either not providing the requested information within the legal timeframe or not providing it at all. Under UK/EU GDPR (General Data Protection Regulations), the prescribed time limit to complete a request is one calendar month but can be extended by up to two further calendar months if the request is deemed complex.
It is not only the volume of SARs these organisations failed to comply with that is the concern here but also the impact that this has had on the individuals affected. This concern is not exclusively applicable to these organisations – there will be many others who are also not getting it right. Gaining access to personal data is a recognised data protection right and the ICO’s findings highlight the reality of how not having the right provisions in place to administer SARs can significantly hinder the people it is designed to aid.
Most organisations want to get this right. This blog focuses on some of the key elements involved.
Recognise a subject access request
The first, and arguably the most important, step is to identify a SAR. This can be tricky as not all requests are submitted to a privacy-dedicated mailbox, nor do they always include key terms like ‘SAR’ or ‘GDPR.’ as the requester does not need to use certain words or methods to make them recognisable. So, what can your organisation do to ensure it is prepared? Training your workforce so that they can identify a SAR, particularly team members and external service providers with customer-facing duties, is invaluable. Following the correct process is crucial, as employees could be inadvertently delaying a valid request made verbally or in writing (including on social media) hence running the risk of missing the impeding deadline.
Notify the appropriate team or individual
If the recipient of a subject access request is not responsible for managing it, they should notify the appropriate resource. Your organisation should have dedicated resources to co-ordinate a SAR effectively and this should be communicated clearly to the wider business. What ‘good’ looks like in terms of the number of individuals or which roles should be involved will vary on several factors. For instance, if you operate in more than one jurisdiction, it may be appropriate for regional teams to co-ordinate the request. In the interest of confidentiality, your organisation may choose to allocate specific responsibility for employee SARs to the HR team.
It may be necessary to notify someone outside of the business. A data processor must notify the data controller of requests it receives from individuals pertinent to the processing whereas joint controllers must have prearranged each party’s responsibilities in terms of supporting individuals’ rights.
Acknowledge the subject access request
In most cases, the first point of contact with the individual will be when you acknowledge the request. In order to manage the requestor’s expectations, this communication should cover your understanding of the request, seeking clarity where wording is open to interpretation.
You should also take reasonable steps to verify the individual’s identity (or the third party is authorised to make the request on the individual’s behalf) in a manner proportionate to the data being requested. For instance, requesting a copy of their passport or national identity card will be disproportionate for requests for accessing basic account data. Confirming registration details or a three-question check should suffice whereas requests for more sensitive records, such as full access to health records, should be subject to more scrutinising checks.
Prior to the data discovery, it may be clear that an extension is required. This should be communicated to the individual promptly and the amended deadline must be met. The ICO’s recent investigation concluded that all seven organisations repeatedly failed to meet the legal deadline.
An organisation failing to respond to its data subject requests within the given timeframe may be a symptom of a process or governance flaw. If your organisation is ill-prepared, one request could be enough to highlight this, and the requestor is within their right to lodge a complaint with the ICO.
Gemserv can offer support with SARs specific to your organisation’s needs, including:
- Taking on the task of handling a SAR;
- Answering your questions about how to handle the request;
- Conduct an assessment to measure the maturity of your organisation’s SAR process and make recommendations for improvement; and
- Develop and deliver role-based data protection training for individuals involved in recognising and handling SARs.