How Will the Rules for Subject Access Requests (SARs) Change Under the GDPR?

A SAR is the right of an individual to request any personal data you hold about them. The reason that the GDPR and the Data Protection Act 1998 (DPA) provide this right is so individuals can verify that their personal data is being processed lawfully.  SARs must be made in writing. Individuals can ask:

• why their data is being processed
• what categories of personal data are held about them
• who has received or will receive their personal data
• where the data came from if they did not give it to you.

Fees

At the moment you can charge an administration fee for SARs. Under the GDPR you cannot charge unless the subject access request is ‘manifestly unfounded or excessive’.  However, you will have to be able to prove that the request is ‘manifestly unfounded or excessive’.  As the guidance isn’t specific, that’s difficult.  The GDPR states that you can charge a ‘reasonable fee’ for multiple requests – again the guidance isn’t specific, so approach with caution.

Response Time

The GDPR allows you just one month to respond to subject access requests instead of forty days under the DPA. This deadline can be extended by a further two months for a complicated or large request.  The data subject must be notified of any deadline extension within one month of receipt of the SAR and they must be given an explanation of the decision.  You will need to make sure that your organisation has procedures in place to cope with this reduced timescale.

Electronic Access

If an individual makes a SAR electronically then you must provide information in a commonly-used electronic format unless they request otherwise.   Before sending out electronic information you must verify the individual’s identity.  As you only have one month to respond to SARs you need to make sure that if requests are emailed to a particular staff member, then these are actioned when that staff member is absent.

Content of Response

When you respond to SARs you should tell the individual what personal information is held about them, the purpose for which it is held and what processing is being carried out. You might also need to provide additional information such as your data retention period.

Right to Withhold

The GDPR and current DPA hold the same position here. Under the DPA organisations can withhold information if it regards the prevention, detection or investigation of a crime; national security or the armed forces; the assessment or collection of tax; and judicial or ministerial appointments.  The GDPR states that personal data can be withheld if it would ‘adversely affect the rights and freedoms of others’.  In future our government may introduce further exemptions to SARs relating to public security, so we will have to watch this space.

• Create a subject access request template. That way, individuals will always provide the information you need to respond consistently and efficiently to SARs.
• Write and implement policies and procedures for handling SARs, making sure that the new shorter response times are incorporated.
• Make sure that your staff are trained to handle SARs so that they can identify them when they come in and respond correctly.

Working in partnership with IT and cyber security specialists at Soitron UK, our information security lead auditors can:

• design a subject access request template that meets GDPR requirements and works in practice within your organisation
• design policies and procedures that handle SARs in line with GDPR requirements, including meeting the shorter response times
• train your staff to identify and handle SARs swiftly and correctly
• develop your IT systems to facilitate SARs processing and all other GDPR requirements.