Skip to main content
search

SUBJECT ACCESS REQUESTS

By March 7, 2019March 11th, 2019Data, GDPR

For those who had GDPR and the May 25th 2018 deadline on their radar, the mad rush to complete Privacy Policies and finalise Data Protection procedures has eased somewhat. Now however comes living with GDPR and with that the likelihood of receiving a Subject Access Request (SAR). This is one of the areas can cause a huge administrative burden to businesses if they are not properly prepared.

Many businesses will struggle to deal with the requests for information not simply because they do not have the necessary processes for dealing with them but because they are not fully aware of the data they hold. This could result in hundreds of hours being spent each year dealing SARs – time which could be saved with a few steps to organise themselves and their data to meet the new requirements.

One of the key provisions of GDPR (Article 15), is the right of all individuals to know what data is held about them by businesses and other organisation and how that data will be used. The intention behind this is so that the individual can be aware of, and verify the lawfulness of, any processing of the their data which is taking place (GDPR Recital 63).
This accessibility of personal data is a huge individual benefit but for businesses the implications for getting it wrong can be serious ranging from fines for not providing information to claims for negligence and regulatory proceedings by the ICO. It is essential that businesses provide the right information to the right person.

The new right is very similar to Section7 of the Data Protection Act 1998, however, there are key differences including abolishing the £10 fee and, reducing the time limit for dealing with the request (40 days to one month), the content of the response and provisions relating to electronic access.
In brief, the data subject is entitled to know:

  1. why their data is being processed;
  2. the categories of personal data concerned;
  3. to whom the data has been disclosed, especially if that data has been shared with someone in another country or to an international organisation;
  4. where possible, for how long the data will be stored,
  5. that they have the right to request rectification or erasure of their personal data or request that the processing be restricted or stopped;
  6. that they have the right to lodge a complaint with the ICO;
  7. the source of the data where the they have not supplied it;
  8. whether their data is used in any automated decision-making (including profiling) process.

Could your business provide this information in one month? If not get your processes in place now -it will be a huge saving of both time and money when an SAR comes your way.

Close Menu