The number of subject access requests (SARs) has increased massively since the implementation of the General Data Protection Regulation (GDPR) in May 2018, says Susan Hall, partner at law firm Clarke Willmott LLP.
SARs allow people to request what information an organisation holds about them and why it is holding this information – for instance if a person fears they are being blacklisted when they are applying for jobs, or believe they are being treated unfairly, or discriminated against in some way.
Mishandling a SAR, either by failing to respond in a timely manner or by failure to disclose relevant material or disclosing inappropriate material, can be a very costly mistake.
“The arrival of a SAR may be just the start of a number of legal issues for a business, says IT and information technology specialist Susan Hall.
“Where matters have become potentially litigious it is vital to make sure that a joined-up approach is used for all communications with the potential litigant.
“Even when there is no direct threat of litigation, SARs should always be dealt with centrally and consistently, and with management and legal input into the process.”
Anyone can make a SAR, but says Susan, they are most often made by people who have a grievance and/or are looking for evidence on which they can base a claim.
“Having strict data protection policies, systems and procedures in place will make it much easier to comply with SARs appropriately.
“These should cover the whole stage of the data journey with policies on use of business systems and on data minimisation, and with information held in a clear, accessible and identifiable location.
“Businesses should have systems to identify when a SAR has been made, especially since there is no prescribed way of making one. They can be made over the phone or by social media.
“Policies should make it easier to find relevant data to comply with a SAR, but with vast volumes of personal data appearing on a request, specialist analysis and review platforms may need to be used to comply within relevant time limits.”
Hall says any SAR demand must to be dealt with promptly – 30 days for answering and providing the data requested, with limited rights to extend by two further 30-day periods.
It is a criminal offence once a subject access request has been made to destroy, delete, conceal or erase data to which the requester would otherwise have been entitled.