The number of subject access requests (SARs) has increased massively since the implementation of the General Data Protection Regulation (GDPR) in May 2018, says Susan Hall, partner at Clarke Willmott LLP.
SARs allow people to request what information an organisation holds about them and why it is holding this information – for instance if a person fears they are being blacklisted when they are applying for jobs, or believe they are being treated unfairly, or discriminated against in some way.
Mishandling a SAR, either by failing to respond in a timely manner or by failure to disclose relevant material or disclosing inappropriate material, can be a very costly mistake.
“The arrival of a SAR may be just the start of a number of legal issues for a business, says IT and information technology specialist Susan.
“Where matters have become potentially litigious it is vital to make sure that a joined-up approach is used for all communications with the potential litigant.
“Even when there is no direct threat of litigation, SARs should always be dealt with centrally and consistently, and with management and legal input into the process.”
Anyone can make a SAR, but says Susan, they are most often made by people who have a grievance and/or are looking for evidence on which they can base a claim.
“Having strict data protection policies, systems and procedures in place will make it much easier to comply with SARs appropriately.
“These should cover the whole stage of the data journey with policies on use of business systems and on data minimisation, and with information held in a clear, accessible and identifiable location.
“Businesses should have systems to identify when a SAR has been made, especially since there is no prescribed way of making one. They can be made over the phone or by social media.
“Policies should make it easier to find relevant data to comply with a SAR, but with vast volumes of personal data appearing on a request, specialist analysis and review platforms may need to be used to comply within relevant time limits.”
Susan says any SAR demand must to be dealt with promptly – 30 days for answering and providing the data requested, with limited rights to extend by two further 30-day periods.
It is a criminal offence once a subject access request has been made to destroy, delete, conceal or erase data to which the requester would otherwise have been entitled.
Susan Hall’s expertise includes working with a wide range of clients ranging from government departments and universities, to multi-nationals, owner-managed businesses and start-ups.
For more information contact: firstname.lastname@example.org.
Clarke Willmott LLP is a national law firm with seven offices across the country including Birmingham, Bristol, Cardiff, London, Manchester, Southampton and Taunton.
"Having strict data protection policies, systems and procedures in place will make it much easier to comply with SARs appropriately."
DISCLAIMER: The statements, opinions, views and advice expressed in this article are those of the author/organisation and not of ENTIRELY. This article should represent information correct at the time of publication however whilst every care has been taken to present up-to-date and accurate information, we cannot guarantee that inaccuracies will not occur. ENTIRELY will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within this article or any information accessed through this site. The content of any organisations websites which you link to from ENTIRELY are entirely out of the control of ENTIRELY, and you proceed at your own risk. These links are provided purely for your convenience and do not imply any endorsement of or association with any products, services, content, information or materials offered by or accessible to you at the organisations site.