« Back to Blog Homepage

Are you managing your subject access requests?

It’s been almost six years since Europe’s data protection landscape changed with GDPR. Are you prepared for SARs?

Since the General Data Protection Regulation (GDPR) was passed there has been almost constant change for companies, with new case law, rulings and court cases making compliance with GDPR an ongoing hot topic for organisations of all shapes and sizes.

With GDPR decisions from 27 different member states coming through on an almost daily basis, it can be a challenge to ensure compliance. One of the basic rights of GDPR is a subject access request (SAR). It provides people with the right to access and receive a copy of their personal data, and other supplementary information. SARs can be made verbally or in writing, including via social media.

People are entitled to find out what personal data is held about them by an organisation, why the organisation is holding it and who else knows the information. 

How to respond

GDPR mandates certain procedures when dealing with subject access requests. These are:

Provide the information for free 

Data must be provided for free. A reasonable fee, based on the administrative cost for providing the data, can only be charged when a request is manifestly unfounded, excessive or repetitive, or if further copies of the same data are requested.

One month to respond

The information must be provided without delay and within at least one month of receiving the request. If requests are complex or numerous, the deadline can be extended to three months, but the subject must be informed of the extension and its justification within the one month deadline.

Provide a response electronically

Data subjects must have the option of making the request electronically (such as by email or webform), and the information provided in those means too. The information must be provided in a commonly used file format, or where possible, through remote access to a secure system that gives direct access to the data.

Failure to respond

Failure to respond to a subject access request within the time period permitted may result in the individual bringing an action for damages or reporting the matter to the appropriate regulatory body, in the UK the Information Commissioner’s Office, which may well give rise to an investigation by that body.

Want to register and record all data subject requests and their current status and ensure that all requests are actioned on time and kept on record? Click here for Omnitrack’s SAR register.



Related Articles

GDPR
Biometric crackdown by UK regulator puts focus on big data at work

GDPR
A guide to LGPD in Brazil