You come into work on Monday morning, log in to your emails and find a customer demanding their personal data from your organisation.
You're confused. You've never had to deal with this before.
You know you can't afford to do nothing or there could be some serious consequences for your organisation (more on this later!)
Unfortunately, although we're all aware of how important GDPR and data protection is, lots of people struggle with how to properly handle subject access requests.
The good news is this article will outline the solution you're looking for in an easy step-by-step format.
Ready to let go of the stress?
Let's get into this.
What is Considered Personal Data?
For something to be considered personal data:
- It must relate to a living person
- The person must be able to be identified from the data or alongside additional information in the organisation's possession
Whenever your customers ask for their personal data, it is known as a 'Subject Access Request'.
What is a Subject Access Request?
According to the ICO's code of practice, a Subject Access Request is defined as:
"a written request made by or on behalf of an individual for the information which he or she is entitled to ask for under section 7 of the Data Protection Act 1998".
Section 7 states that individuals are entitled to access any information that an organisation holds about them and this is why you've received the request.
Now, this part's important - you do have a subject access request response time limit.
Your organisation has 30 calendar days to respond to the subject access request.
You may be tempted to put it off or ignore the subject access request altogether but this could be seriously putting your organisation at risk. Here's what can happen if you decide to become complacent with GDPR:
- By failing to maintain effective records of your processing activities, you face a fine of up to €10 million or 2% of your annual turnover of the preceding financial year, whichever figure is higher.
- By breaching processing principles, data subjects' rights and even more GDPR rules, you face a fine of up to €20m or 4% of your annual turnover of the preceding financial year. Again, whichever figure is higher, they will fine you that amount of money.
You get the point, don't ignore a subject access request!
Refusing a Subject Access Request
According to the ICO, you can refuse an entire request when:
- It is too expensive or time-consuming to deal with the request
- The request was made to cause adversity
- The request is the same as a previous request and came from the same person
What information are individuals entitled to from your organisation?
Individuals receive a copy of their personal information but they are also authorised to access more than just the copy:
- Individuals are entitled to know when any personal data is being processed
- Individuals are entitled to know the source of data
- Individuals are entitled to be given a description of personal data,
- Individuals are entitled to know why their personal data was processed and if it is being shared with other businesses.
- Individuals can also ask for the reasoning behind any automated decision
Is Your Organisation Prepared for Dealing with Subject Access Requests?
As aforementioned, requests can come from anywhere and everywhere. You have to ask yourself whether you believe you have the measures in place which will allow your organisation to handle every single request that comes through.
So how do you make sure your organisation is set up in a way that enables you to successfully deal with these requests?
Firstly, even if you have a dedicated person who deals with client and customer data, anybody in your organisation could receive a subject access request at any moment. This is why it's important everyone understands what they need to do when a subject access request is received.
This will involve training for your employees.
It is incredibly important for all employees to have data protection training to be able to recognise a subject access request.
This means employees should be aware of what a subject request access is and the relevant employees need to be able to deal with the requests.
For instance, the receptionist should be able to confidently pass on the information to the relevant people who can deal with the request. These people will need more detailed training as they will most likely be taking positions of data controllers and data processors.
Secondly, you should look to give guidance to both customers and employees.
Employees should be provided with written guidance, for instance, a PDF that outlines the policies and procedures required.
For customers, you should look to create a dedicated in-house form to assist customers in providing details about their request, identities and any other information which will help you complete the request.
This should make it easier for customers to complete requests without the need to complain.
Lastly, once you've offered guidance and training, you need to track your compliance with subject access requests. This means your organisation is constantly reviewing the status of each request and ensuring that every request is completed in the 30 calendar day time frame.
Now that you understand what Subject Access Requests involve, let's go over what you need to do in a step-by-step to respond to these requests.
1) Identify the Subject Access Request
It isn't always easy to identify a subject access request as an individual doesn't need to use the phrase "subject access" or reference the data protection act for it to qualify as a Subject Access Request.
There is no specific or prescribed way for individuals to make a request, which means a request can come from a multitude of different sources.
This could include but is not limited to:
- Receiving a request via post
- Receiving a request via email
- Receiving a verbal request
- Receiving a request via social media channels
- Receiving a request via fax
Whether the request has come from e-mail, post or a social media message, you need to act upon that request.
Once you have recognised the request, ask yourself, does this request fall within the definition for personal data? Individuals can only request information that relates to themselves, not other people.
Also, it is important to recognise whether the individual is asking for more than just their personal data. For instance, the individual may be looking to erase personal data (right to erasure) or amend incorrect personal data (right to rectification), as well as receiving a copy of their personal information.
2) Verify the Individual
Is the individual requesting the information who they say they are?
I know it can be tempting to just assume the person is who they say they are, but you need to follow procedure, otherwise you could find yourself giving someone unauthorised access to information that's not theirs.
You will need to ask for a recent utility bill or a photographic identification to verify their identity. It is best to stick with passports and licenses as the main form of photographic identification.
If the person requesting the information is your employee, you don't need to verify their identity assuming you already have their identification.
Also, only ask for the information you need and nothing more.
3) Further Understand the SAR
Each subject access request is different and there isn't one answer for every single request. This means you need to dive into each request individually:
- If you're unsure of what the individual wants, contact the individual and clarify the personal data they wish to receive. It is important to remember that they don't actually have to tell you why they want this data, but they could help you refine your search.
You can also ask the individual's preferred format for the response. With this extra clarity, you should be able to move forward and direct the request to the right people within your organisation if necessary.
- Could there be a fee attached to this request? There is the possibility that the request you have received falls under the "manifestly unfounded or excessive" category which would mean you are able to charge the individual.
- Will you be able to respond to the subject access request within the 30 calendar day time frame? If it is a complex request, you could get two extra months to respond but make sure to notify the individual if this is the case.
4) Identify, Search For, and Collect the Requested Information
Every folder you have lying around the office, every electronic folder on your system and anywhere else you could have client data, will need to be searched to identify the information of the individual in question.
The data provided needs to be from the original record but you don't have to give the original record to the individual.
5) Identify Exemptions
Identifying what data to leave out is incredibly tricky, but crucial. For instance, you could be sending an individual somebody else's data and this would go against the Data Protection Act.
Another instance where you are required to retain information is when it is in the public and government's interest to withhold the data and also when it can interfere with a legal investigation.
This is completely tailored to the individual as it depends on the context at hand so you need to handle this situation with care and take your time with it.
6) Securely Supply Information to Individual
You need to match the response with the format of the subject access request unless the individual has stated otherwise. For instance, if the individual has made the request electronically then you need to send them the response electronically.
7) Log the Decision-making Process
You should always record what you're doing, you need to protect your organisation and be able to prove when you are in the right. By noting down the decision-making process of the entire procedure, you can provide evidence if you ever receive a complaint.