Dealing with subject access requests

In the pre-implementation phase, most GDPR compliant efforts were focused on securing the data held by your business. With potentially huge GDPR fines at stake, tightening security makes perfect sense.

But the General Data Protection Regulation is primarily designed to give EU citizens greater control over their information and how it is used by third parties. Article 15 of the regulation enshrines the right for individuals to approach any organisation to request access to their personal information:
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data
It is extremely important to realise that the same potentially enormous GDPR penalties apply when failing to disclose data under Article 15 as allowing it to leak to an unauthorised third party. It is highly unlikely that any information commissioner will levy a €20m fine for failing to provide information to a citizen on request – but an infringement of the rights of the individual has that potential.

Be prepared

As EU citizens better understand their new rights, it is only a matter of time before your business begins to receive subject access requests (SAR). To avoid potential problems – and GDPR fines – you should build a process for handling SARs now.
The regulation states that the data controller is obliged to respond to requests relating to a data subjects right ‘without undue delay and at the latest within one month’. The ICO has further clarified this in their guidelines.
Here are a few things to consider.

  1. Specify how you want to receive SARs

The modern organisation will use several applications and databases to store personal information. This adds a layer of complexity to fulfilling SARs as you need to pull records from them all.
By defining a process in advance you can better manage incoming requests. Build a flowchart that specifies the steps to take between receiving an SAR and sending data back to the subject. Make sure that the process checks each system used to store personal data and guides your employees through each step.
In order to find all the data belonging to a specific individual, you will need them to give you some details to begin with. Your process should specify your requirements so that they can be passed back to the subject as soon as a request is made.
You could create an SAR form to be hosted on your website for instance. Just bear in mind that you cannot force data subjects to complete a form – and that you will still have to fulfil their request as quickly as possible.

  1. Keep subjects updated

It is vitally important that you let data subjects know that their request has been received, and that work is under way to fulfil it. You should also give them a basic timeline to help manage expectations.
With a multi-stage process for gathering data in place, you could also email the subject at key points to update them as to your progress. Keeping individuals informed will help to keep them onside – and reduce the risk of a secondary complaint to your local data commissioner if they feel the process is taking too long.

  1. Ask for additional information if required

Simply trying to muddle through a subject access request could cause serious problems, especially if it later transpires that you have failed to hand over all relevant data. If you need additional details from the subject to track down information, you should ask for it. As quickly as possible.
If the subject is unwilling, or unable, to supply supporting information you should make a note. You can use this fact towards your defence in the event of a complaint being made to the relevant information commissioner.

  1. Supply everything requested

As mentioned above, you must give the data subject all of the information they request – so long as you are not breaching any of the caveats specified elsewhere in the GDPR.
You should also be aware that a subject access request may include more than the individual’s raw data. In fact, Article 15 specifies a further six factors that need to be disclosed to the subject in your response:

  1. What the data processing activity is supposed to achieve.
  2. The categories of personal data you have collected from them.
  3. Any third parties (like data processors) with whom the data may be shared, “in particular recipients in third countries or international organisations”.
  4. The length of time you intend to retain their data – or an explanation of how you decide when the data is no longer required.
  5. The source of any personal data that was not obtained directly from the individual.
  6. An explanation of how your business uses automated decision making and profiling of personal data, and what the outcomes of this analysis entails.

As well as providing a copy of the personal data you will also need to provide the individual with information about how they can modify or withdraw permission to their data, and how to request data correction or deletion. The covering letter/email you send should also detail the subject’s right to lodge a complaint with their local data commissioner.

  1. Specify any relevant exemptions

Under some very rare circumstances you are entitled to reject a subject access request. The specific reasons for rejection need to be considered on a case-by-case basis particularly where an SAR infringes the privacy rights of another individual.
Rather than issuing a full rejection however, you will still need to supply the subject with any information that falls outside the exemptions. You should also include a generalised explanation of data that has been withheld and the reasons for your decision.

  1. Keep records of SARs and actions

In the event of an audit by the Information Commissioner’s Officer, you will need to prove that you are complying with Article 15 and addressing all subject access requests received. And it is here that your internal processes will prove their worth.
Using a checklist/flowchart to manage SAR requests allows you to track and record progress. You can capture notes about each case, communications between your business and the subject, and any other information that arises throughout the process. You can clearly prove that subjects’ wishes and requests are being respected, so you can avoid potential GDPR penalties.

The key to SAR success – preparation

Preparation is key to managing incoming subject access requests properly. But before deciding how to process SARs, you need to fully understand the personal data your business holds, and where it is located on the network.
If you have not already done so, you must conduct an audit of your data stores as soon as possible. Without a complete understanding of what you have, it is highly likely that information may be missed during the export procedure – which means that the subject will not receive all of the data they are entitled to.
This is particularly true of data held on archive tapes or in cold storage. Just because it is more difficult to access, does not mean it is exempt from a subject access request. And if the data is not in regular use, you should carefully assess whether you should be storing it at all.
Should you fail to provide the subject with a complete copy of all data held, your business will be in breach – and at risk of receiving a GDPR fine. To learn more about auditing your network and accurately fulfilling SARs, please give us a call.