Under the General Data Protection Regulation (GDPR), an individual has the right to request a copy of any data that is held on them (subject to a few exclusions). This is known as a Subject Access Request or SAR. Such requests do not have to take any standard format, or use any particular form or template, and can be made either in writing or verbally. It is important therefore to recognise such a request, and to deal with it promptly and correctly. There are strict time limits set in law, with significant penalties for failure to respond within the time limits, or for failure to provide the requested information without a valid reason (within the terms of the regulation.)
Whilst every SAR is different and individual, the following 12-point plan will give you some guidance on how to deal with a typical SAR:
- Identify the request as a GDPR Subject Access Request (SAR) and verify the identity of the individual making the request. This may include asking for identification documents such as a passport or driver’s license and checking them against the information already held on the individual.
- Locate and retrieve any personal data that the individual has requested. This may include:
- Personal contact details, such as name, address, telephone number, and email address
- Personal data, such as Passport information, Visa information, National Insurance number and Driving licence details
- Financial and transactional data, such as bank account or credit card information
- Employment and educational data, such as CV, qualifications, certificates, and employment history
- Health data, such as medical records and treatment history
- Digital data, such as IP addresses, login credentials, and online activity
- Any other data that the individual has specifically requested in their SAR.
- Conduct a search for any personal data that may be held in email and other electronic communications, databases or storage. This may include searching for the individual’s name, email address, or other identifying information in email inboxes, shared drives, and other electronic storage locations.
- Review the data to ensure that it is accurate, up-to-date, and relevant to the request. This may include checking for errors or outdated information, and cross-referencing the data with other internal systems to ensure completeness.
- Determine if any of the data is subject to a legal exception or exclusion, such as data that is covered by legal privilege or that relates to an ongoing investigation. This will require a review of any relevant legislation and guidance to determine if the data can be disclosed.
- Ensure that any documents or data that include information relating to any other identifiable individual are redacted prior to release in order to protect data and individuals which are not the subjects of the request.
- Provide the individual with a copy of their personal data in a commonly used format, such as a PDF or spreadsheet. This copy should be provided in a clear, concise, and easily readable format, and be accompanied by an explanation of any technical terms used.
- Respond to the request within the legal timeframe of one month, unless an extension is necessary. The extension can only be granted under specific legal grounds, such as a large amount of data to process or if the data is located in different places.
- Keep a record of the request, including the date it was received, the data provided, and any exceptions or exclusions applied. This will allow you to demonstrate compliance and provide a reference point in case of any future queries or complaints.
- Provide any additional information requested by the individual, such as the source of the data or the purpose for which it is used. This information should be provided in a clear and concise manner.
- Offer the individual the opportunity to correct or delete any inaccuracies in their personal data. This is an important step to ensure that data is accurate and up-to-date, and also allows the individual to exercise their rights under GDPR.
- Monitor and review the SAR process regularly to ensure compliance with GDPR and UK regulations. This may include reviewing procedures and policies, training staff, and conducting regular audits to identify any areas of non-compliance.
Disclaimer: The information provided on this website is for general informational purposes only and is not intended to be legal advice. The information contained on this website should not be relied upon as legal advice and does not create a solicitor-client relationship. The information provided on this website is not a substitute for professional legal advice and should not be relied upon as such. Please consult a qualified solicitor in your jurisdiction for specific legal advice. By using this website, you agree to hold harmless the website owner and its affiliates from any claims, losses, or damages arising from the use of the information provided on this website.