Since May 2018, individuals in the European Union have gained improved rights over the protection and privacy of their personal data under the General Data Protection Regulation or GDPR.
In the case of the United Kingdom, after Brexit, the country had to create its own version of the GDPR, called the UK-GDPR (United Kingdom General Data Protection Regulation), which took effect in 2020.
By article 15 of this law, people in the UK can request access to the information that different companies and organizations have about them and the use they are making of it.
And while Subject Access Requests (or SAR requests) are a powerful tool for individuals who want to ensure their data is in safe hands, they can be a true nightmare for your organization when you’re not armed with the right process and tools to deal with them.
Finding the data, offering consumers a streamlined way to submit their requests, responding in a timely manner, and keeping track of requests, can all be tricky aspects to deal with, so we’ve created this comprehensive article to go over all those questions.
But first, let’s start with the basics.
A SAR (often referred to as “DSAR”) is a verbal or written request that individuals (or someone acting on their behalf) can submit to any organization in the UK to see what personal data they hold on them and how they’re using it.
In terms of format, under the UK GDPR there are no specifications on what a SAR should look like or what identifying words it should contain, but it is advised that organizations offer standard SAR request forms that individuals can use to submit their requests electronically.
In reality, anyone can request their information via any channel — including social media — and to any person of your organization, which can make the tracking of these requests quite challenging.
According to UK GDPR, organizations must reply to SARs within 30 days.
For overly complex or multiple requests, companies can request to extend the deadline for a maximum of two months. However, when asking for an extension, you need to include a detailed explanation of why you need more time, and you must send the extension request within the first month after receiving the SAR.
As a general rule, companies can’t charge any fees for providing individuals with a copy of their data. However, in certain cases it’s possible to charge a “reasonable fee” for requests that are too complex or frequent.
One important thing to note is that, even if you don’t have any data from a specific individual, you still need to reply to the request in a timely manner to let them know.
Even before getting your first SAR request, you should determine:
In terms of responsibilities, organizations usually appoint their data protection officers (DPOs) as the person in charge of fulfilling SARs. In the absence of that role, you can select a person in your organization with data protection knowledge. This person will normally just oversee the whole process and your legal support or IT teams will actually carry it out.
If you want to minimize the risk of getting SAR requests via any channel at any time, consider creating an easy-to-use SAR form that people can quickly locate on your website and include strategic questions that will reduce the amount of back-and-forth with the customer once they submit their request.
Finally, you need to have a solid process in place to handle DSAR requests to avoid getting a penalty notice from the Information Commissioner’s Office (ICO) and also to ensure you spend the least amount of time and resources in responding to them.
The first thing you’ll need here is to have a good understanding of your data and of the best way to gather it when you get a SAR. Work with your IT partners and privacy specialists to determine:
Once your data mapping is complete, your next step is to understand how you will export and analyze the data you need for each request.
One option is to understand the search and export methods of each of your data sources, as well as their retention timelines, and manually find and analyze all the information you need. This can be really time consuming, though.
Another option is to look for cloud-based and intuitive SAR software like Logikcull that can automate the collection, processing, and analysis of your data so you can complete any request in a matter of minutes, instead of days or hours.
Read on to learn how a tool like this would fit into your SAR response process.
Now that you’ve established responsibilities, you understand your data ecosystem, and know how to deal with that data, here are the different steps that you can follow when you get DSAR request:
Before accessing the data to fulfill the request, confirm the identity of the person submitting it. For requests made on behalf of an individual, you’ll also need to verify that the person is an authorized representative.
When you get a SAR request, time is of the essence. To be able to start collecting relevant information as soon as possible, ICO recommends that you contact the individual requesting information to understand the exact scope of the request.
Apart from helping you narrow down your data search, establishing a direct line of communication with the individual will reassure them about your commitment to respond to the request in a timely manner.
This can be the most time-intensive part of the process, especially if you’re searching your systems manually and one by one. With a SAR tool like Logikcull, you could pull data directly from your main data sources with a click.
This is another key step you can streamline with the right technology. After collecting your data via direct integration or by just dragging and dropping your exported files, Logikcull automatically deduplicates and indexes your data so you can use keywords to find relevant documents or filters like dates, sender, email domains, etc., to quickly hone in on the files you need to share.
The alternative to this is to look at all the documents you collected one by one, or pay someone to do it for you.
You also need to be careful not to disclose someone else’s personal data. With automatic personal information detection and bulk redactions, Logikcull also makes it easy to spot and hide any third party data, which prevents potential data breaches.
Once your data is properly reviewed and redacted, you need to provide it to the person who submitted the SAR in a secure and accessible manner. The easiest way to determine how you should share the data is by asking the individual directly.
You should also include an explanation of the consumer’s data privacy rights, including the right to file a complaint.
Document the entire process, your communications with the consumer and/or any third parties, and all the decisions you made along the way. This will be crucial if the individual complains to the ICO or asks for an internal review.
When not managed properly, SAR requests in the UK can turn into a big headache and expose your company to potential sanctions and reputational damage. However, with the right process and technology in place, responding to SARs can be quick, easy and cost-effective.