Are you managing your subject access requests?

It’s been almost six years since Europe’s data protection landscape changed with GDPR. Are you prepared for SARs?

Since the General Data Protection Regulation (GDPR) was passed there has been almost constant change for companies, with new case law, rulings and court cases making compliance with GDPR an ongoing hot topic for organisations of all shapes and sizes.

With GDPR decisions from 27 different member states coming through on an almost daily basis, it can be a challenge to ensure compliance. One of the basic rights of GDPR is a subject access request (SAR). It provides people with the right to access and receive a copy of their personal data, and other supplementary information. SARs can be made verbally or in writing, including via social media.

People are entitled to find out what personal data is held about them by an organisation, why the organisation is holding it and who else knows the information.

How to respond

GDPR mandates certain procedures when dealing with subject access requests. These are:

Provide the information for free

Data must be provided for free. A reasonable fee, based on the administrative cost for providing the data, can only be charged when a request is manifestly unfounded, excessive or repetitive, or if further copies of the same data are requested.

One month to respond

The information must be provided without delay and within at least one month of receiving the request. If requests are complex or numerous, the deadline can be extended to three months, but the subject must be informed of the extension and its justification within the one month deadline.

Provide a response electronically

Data subjects must have the option of making the request electronically (such as by email or webform), and the information provided in those means too. The information must be provided in a commonly used file format, or where possible, through remote access to a secure system that gives direct access to the data.

Failure to respond

Failure to respond to a subject access request within the time period permitted may result in the individual bringing an action for damages or reporting the matter to the appropriate regulatory body, in the UK the Information Commissioner’s Office, which may well give rise to an investigation by that body.

Want to register and record all data subject requests and their current status and ensure that all requests are actioned on time and kept on record? Click here for Omnitrack’s SAR register.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”