How to handle a Subject Access Request

We have said this previously but we are still seeing a huge number of Subject Access Requests [SARs]. A SAR is a request made by or on behalf of the data subjects which grants the right to obtain a copy of all the personal data that an organization has collected about them.

These are pretty straight forward to deal with unless there is some other underlying issue. Don’t forget that GDPR only relates to data that identifies an individual and relates to an individual – so not all correspondence would count as personal data.

All SARs are different but the ico provides great information about how to deal with them – you can check this out at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

Here is our quick step-by-step guide: 

1. You should confirm receipt of this SAR request and the date you received it. Just send an email to do this.  You have 30 days to comply so it is worth confirming the date you received the request.

2. Confirm the identity of the person raising the SAR – this is important as you don’t want to send details to the wrong person.  You can request basic proof of ID, driving license, passport, utility bills etc…   You have to be reasonable here and can’t ask for impossible proof but you should take this step just to be sure.  If you are 100% sure of their ID you can skip this step.    To request ID just send an email and ask them to provide whatever info you think appropriate.

 The 30 day clock is paused until you receive the ID.

3. If the request is sent by a third party, for example a solicitor, you should check the ID of BOTH parties and that the third party has proof that they can act for the data subject,

 4. I always suggest you confirm exactly what the person needs, this sounds like a lot of information and it would be better to narrow down the scope / timescale / people involved.  Again just send an email to ask them to narrow down the scope.  Most data subjects refuse and just ask for everything…..!

 5. If the request involves a lot of data, or if time is required to redact the info, or maybe involves complex data extraction you can claim an extension.   Send an email telling them due to the amount of information to be processed, the need to collate the data, the need to redact the data, and the complexity of their request that you are claiming a 60 extension.  This will annoy them but you are well within your rights here….

6. Now collate the data – make sure you get everything – you need to redact details of other people unless you have their consent.  You should create a nice database of all the data and send it over in an easy to access format.  You are not under any obligation to provide transcripts even if they ask for them, but the data needs to be easy for them to understand so use standard formats.

 You should log this request in your gdprlocal.com account in the GDPR Request tab so we can review the request and offer advice. You need to log all interactions you have with the data subject in relation to this request so keep a log and use the GDPR request to keep track of everything you send / receive. 

Hope this helps.  You can arrange a call to discuss anytime, we are happy to help.  Use this link to book any slot: Book a Meeting: https://calendly.com/gdprhelp/gdpr