How To Recognise And Respond To A GDPR Subject Access Request
Recognising and responding to UK GDPR subject access requests (SARs) is a key part of data protection and privacy law compliance. It is also one of the most common ways employees encounter customers and clients asserting their rights under the UK GDPR and the Data Protection Act 2018.
Organisations that operate within the EU must also comply with EU GDPR subject access requests and as we shall see below, draft guidelines released by the European Data Protection Board (EDPB) in January of this year have raised the bar concerning what is expected of data controllers.
Before discussing how a person receiving an SAR can recognise and respond to the request, let us briefly point out what an SAR is.
What is a subject access request?
Article 15 of the UK GDPR provides a person with the right to:
- Know whether personal data relating to them is being processed,
- Certain prescribed information concerning the processing of their data for example whether automated processing is being used and the safeguards implemented when transferring their personal data to a third country, and
- A copy of all the personal data you have relating to them.
The above rights are not absolute. You can refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.
How do I recognise a UK GDPR subject access request?
SARs can be made verbally or in writing, including over social media, or by a third party. It is valid so long as the person is requesting access to their own personal data. In the case of requests made by third parties, for example, a friend, relative, solicitor, or accountant, you must check that they have been authorised by the data subject to make the request.
A SAR does not have to refer to the GDPR or any other legislation. Even if your organisation provides a SAR form, you cannot refuse to deal with requests sent via another method.
How long do I have to respond to an SAR?
You must respond to an SAR within one month of receipt. This can be extended by a further two months if the request is complex or you have received several requests from the person. If you process significant amounts of personal data, you can request that the data subject clarify the specific information they wish to access/obtain a copy of. Although the time limit will be paused until you receive clarification, you should still send any other data you know has been requested within one month.
How should I respond to a GDPR subject access request?
It is best practice to respond to an SAR in the same format in which you receive the request, for example, if the request is sent via email, reply by email. If possible, you should try and establish the requester's preferred mode of communication as soon as possible.
Can we charge a fee?
For business owners, one of the most frustrating aspects of SARs is that in most cases, you are forbidden by law to charge for the time and resource it takes to fulfil them. The Information Commissioners Office (ICO) states that:
“you can charge a 'reasonable fee' for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if an individual requests further copies of their data.”
Unfortunately, this is not helpful when it comes to locating, collating, and sending requested data which may run into thousands of pages. With this in mind, below are our three top tips for making SAR compliance easier:
- Put accessible policies and procedures in place covering the operation steps of dealing with an SAR, namely:
- assessing the validity of the access request;
- searching for personal data relating to the requester;
- considering whether any statutory exemptions apply; and
- responding to the request.
- Ensure you have an up-to-date data map which sets out where the personal data your business holds is kept and how and who can access it.
- The employee dealing with a SAR must keep meticulous records explaining the steps they took to fulfil the request. If the SAR is refused, reasons for this decision must be documented. These records will provide evidence should the data subject complain and the ICO subsequently launch an investigation.
The above provides a guide to fulfilling SAR under the UK GDPR. As mentioned above, the EDPB has released draft guidelines concerning SARs which, if adopted, controllers and processors of EU citizens' data will need to be aware of. For example, the guidelines aim to clarify when a controller can refuse an SAR for being â€˜manifestly unfounded' or â€˜excessive' or be permitted to charge a reasonable fee. The draft guidelines state that the term â€˜manifestly unfounded' is to be interpreted narrowly and the fact that a particular request will involve a lot of time and effort does not necessarily mean it will qualify as excessive. However, the controller can consider the motives behind the request and may be able to refuse to comply if it is initiated with the aim of â€˜causing damage or harm or disruption to the controller.'
To ensure you and your team can comply with SARs it is vital to seek professional advice and ensure everyone receives sufficient training on recognising and responding to requests. As with all matters concerning compliance (and law in general) prevention is far more effective and cheaper than the cure.
Please note that this article does not constitute legal advice.