Under the UK GDPR and Data Protection Act 2018, anybody has the right to make a Subject Access Request (SAR). A SAR can cover a number of things but typically it is a request from an individual to receive a copy of all the personal data that an organisation holds on them. For a business dealing with these requests, this can be an onerous, complex and very time-consuming process.
And not responding is not an option. A data subject has remedies against an organisation for failure to comply and the Information Commissioner’s Office (ICO), the UK’s data protection supervisory authority, can and does issue enforcement notices to businesses that fail to respond appropriately. In addition, intentionally altering or deleting personal data with a view to preventing disclosure is a criminal offence.
There are things you can do to mitigate the impact of these requests, however, and below we share best practice tips for managing the personal data you hold and provide some advice about the process to follow if you receive a SAR.
Manage your data
It’s important for general data protection compliance as well as dealing with SARs, that you actively manage the data you hold.
Consider firstly, who you hold data about: this could include suppliers, clients, employees and former employees.
Then, think about where this data is. It may be in email, or text messages, communications on Slack or WhatsApp, in Word documents, spreadsheets or chatbots. Good data protection management involves knowing what data you hold, about who and where it is located.
Data protection legislation states that you should only retain data for so long as is “necessary” to do so to meet the purpose for which you collected it. To this end, you should be routinely deleting information you no longer need. Many apps, such as Slack and DocuSign allow you to automatically delete data after a set period and this is a useful way of minimising the amount of data you retain.
Learn to spot a SAR
Too often, businesses miss these requests because they have been delivered in an unexpected or unfamiliar way. The request does not need to use the term Subject Access Request, or the acronym SAR and it does not have to be formally delivered. If anybody asks for a copy of the information that you hold on them, be it verbally or in writing, this constitutes a SAR.
It is important to be alert for these requests and to train your staff to look out for them.
Respond quickly
As soon as you receive the request, the clock starts ticking, even if it’s the Friday afternoon of a Bank Holiday weekend. As you only have thirty days to respond, it’s important that you act immediately.
Triage
The nature of the request and who it comes from may determine who, within your company, should deal with it. For example, a request from a customer may be sent to the IT team to conduct the relevant searches. Or if it comes from an employee, it may be that your HR department should be the first port of call. Perhaps your business has a Data Protection Officer or Manager, in which case this may be the person to whom these requests are sent.
Whatever your set up, it is important that everybody within the business is aware where they should send SARs to ensure they are handled speedily and effectively. So, spend some time considering what types of requests you may receive and who is best placed to respond to them.
Our lawyers are skilled at supporting their clients through this process and can produce supporting documentation to clarify the procedures for other team members. One of our lawyers, Amanda Heath, recently created a Triage Flowchart for a client’s Customer Support Team who are on the frontline for receiving SARs. Categorising the types of requests and detailing the communication pathways has streamlined this entire process and saved the team a great deal of time.
Don’t be afraid to ask for clarification
If it is clear that fulfilling the SAR is going to generate an overwhelming amount of information, it may be worth trying to clarify or narrow the request. Consider asking the requester whether the information they wish to receive might be limited to exchanges between named individuals, a specified timeframe or certain key words. The individual making the request does not have to agree to this, but they often will.
It is worth remembering that searches in response to a SAR may not always yield results. One of our lawyers met with just such an instance when her client received a SAR from someone that they could find no data on. The DPO was going to pull apart the whole legacy system to search for information when our lawyer intervened and requested more detail from the individual about the context in which they were making the request. It transpired that the individual had been an unsuccessful job applicant and, because the business routinely deleted data relating to unsuccessful applicants after six months, it no longer held any information on this person.
Control your communication channels
A SAR requires you to search all places where you might hold personal data about the requester including the mediums which your business uses to communicate, for example, WhatsApp messages, texts and emails. A casual comment to a colleague may, at best, be highly embarrassing to disclose. In the worst case, it may expose the business to the risk of legal proceedings.
Make sure your employees are trained on data protection issues and do not fall into the trap of discussing personal information in an informal or inappropriate way. Get to grips with the communication channels utilised in your business, be strict about how they are used and make sure this is known by your employees and adhered to.
Keep your policies and processes up to date: how TLD can help
Most companies will need to respond to SARs at some stage. And with templates readily available and companies who will send out these requests on behalf of individuals, it is easier than ever to ask for personal data.
Our lawyers can help you be in a strong position to respond to these requests. They can work with you, so you understand the data you’re holding and how you’re handling it. Key to this is developing and updating policies and procedures relating to data management and issues such as SARs and data deletion. Our lawyers have a lot of experience in this field and can support and guide you through this process and help you implement best practice within the communication tools you utilise in your business. TLD lawyers work within your organisation so understand how you operate and give advice from your business perspective.
If you would like to know more or would like to talk to us to find out how we can support your company, please email us at info@thelegaldirector.co.uk or call us for an informal chat on 020 3056 8538.
