Under the UK GDPR law, a Subject Access Request, or SAR, grants us all Right of Access to request our personal information from any organisation that holds it. If your organisation is one of the 65% that hold personal information, it’s essential that you handle SAR’s correctly. Failure to do so could lead to hefty fines.
This blog will touch on what GDPR is, how subject access requests are made and what you need to do to ensure compliance.
What are the General Data Protection Regulations
The General Data Protection Regulations (GDPR) came into effect in May 2018. The aim of this legal framework is to keep the personal information of individuals safe. It requires organisations to have stringent processes in place for the handling and storage of personal data.
Organisations that are found in breach of the regulations can be fined. The fines can be as high as 4% of global turnover, or €10 million, whichever is the highest.
When is Personal Data Collected?
You’ve probably seen the data disclaimers that pop up on screen when you access a website. And if you were to scroll down to the end of a company’s website, you will be able to click on their privacy policy, which explains how data is used and kept by them.
Personal data is stored everywhere. From birth, we start to leave a data footprint. Data is stored in the health care system, the educational system, the local authority and more.
Personal data is gathered when you:
- Visit websites
- Shop online
- Create digital accounts
- Interact with companies over the phone or in person
- Engage with companies on social media
- Download or install apps
- Apply for finance products
How to Recognise a GDPR SAR Request
The regulations do not specify how requests for personal information should be made. They can be made verbally or in writing, via a letter, an email or electronically, via social media message.
As an example, an email may be received with ‘Subject Access Request GDPR’ as the subject, or ‘Request For Personal Information’ but verbal requests may not always be so explicit. Regardless of how they are made, it’s important to take a request for personal information seriously and start the process of retrieving and sending on the data.
Taking this into consideration, training employees on what to look out for and who to pass the request to, is a good way of ensuring that a subject access request (SAR) is not missed.
Can Individuals Make a Request Via Social Media?
Yes, a subject access request can be made via any social media platform where your organisation has a presence. It is a good idea to keep this in mind and have mechanisms in place to capture requests made via these platforms.
For security reasons, responding with the requested data is best not done via social media though. The best thing to do would be to ask the requestor for an alternative method of contact, like their email address.
Can an Individual Make a Request on Behalf of Someone?
Yes, a SAR can be made on behalf of someone else. Usually, a third party would be a relative, friend or a solicitor. Although this is mentioned under the UK GDPR laws, it is the responsibility of the third party to provide evidence that they are entitled to act on behalf of the individual whose data is being requested.
This may be a letter signed by the individual, stating they have given permission to the third part to make the request on their behalf. Letters can be in hard copy form or sent via email but you will have to be satisfied that it is authentic.
Other ways of permitting a third party to make a SAR could be through powers of attorney. Under GDPR, organisations do not have to comply with a SAR made by a third party if no evidence of authority is supplied. In such cases, a response should be sent back explaining the reasons why.
How Soon Must You Handle a Subject Access Request?
UK GDPR states that organisations must respond to an SAR within 30 days of its receipt.
For complex or multiple requests made by, or on behalf of, the same individual, organisations can extend the response time by up to three months. To avoid legal issues, a response within the first 30 days of receipt must go to the requestor to notify them that extra time is needed.
What is the Difference Between a SAR and a FIR?
Under the Freedom of Information Act 2000 and Freedom of Information (Scotland) Act 2002 individuals have the right to ask any public authority for information they hold, on any subject only, but not personal data.
For personal data, a subject access request must to be made.
What Happens When You Don’t Handle Data Correctly
Case Study
In 2020, the Information Commissioner’s Office (ICO) fined British Airways (BA) £20m for failing to protect the personal data of over 400,000 customers. (Source: BBC)
Following an investigation, it was found that there were inadequate security measures in place to protect customers’ data. This led to a cyber-attack in 2018, that went undetected for more than two months.
The cyber attacker potentially accessed the personal data of the customers and BA staff. Data that would have included names, addresses, telephone numbers and payment card details.
The initial fine was a whooping £183m but this was significantly reduced to £20m due to the economic impact of the pandemic.
Train Employees to Prevent GDPR Breaches
Training staff on the principles of the General Data Protection Regulation (GDPR) is a key way to ensure that the personal data you hold is processed in accordance with the law. Human Focus offer a GDPR training course that is perfect for all employees at all levels.
The course covers the essentials:
- The seven key principles
- Explanation of key terms
- Breakdown of GDPR laws
- Awareness of what personal data is and how best to protect it
- Consequences of non-compliance
Contact Human Focus today to ensure your employees know how to protect your organisation against a GDPR claim.
About the author(s)
