A subject access request has landed on your desk. Don’t be tempted to push it to the corner and think ‘nothing to see here…’ Subject access requests need to be dealt with, promptly. Here is a bit of information to help you out:
What is a subject access request?
A subject access request (SAR) is a request from someone who’s data you are collecting, using or processing. The person making the request is called a data subject. The data subject can ask for specific information or ‘all the data that you hold on me’.
SARs are not new under the GDPR — they have been around for years, which means that there is a lot of case law on them.
I’ve got a SAR. What do I do now?
The first thing to do is check your timings. When did the request come in and how long do you have to respond? Do you need extra time? Next, reply to the data subject and acknowledge the request. Then start gathering the data. Once the data has been gathered, it will have to be assessed.
How long do I have to respond to a subject access request?
Generally, you have one month but can have up to three months for lengthy or complex requests.
What do information do I have to disclose?
SARs can be quite complex. There are legal exemptions which mean that some data is not disclosed and there are legal presumptions which mean that some data is likely disclosed. Each document and it’s data has to be assessed. You can’t use a blank rule on all the different types of data or documents nor can you have a ‘sod it, I’m sending everything because it’s too much work to go through all the data’ approach. With SARs, you’re damned if you disclose too much and damned if you disclose too little.
In addition, SARs get complicated when there are multiple email accounts involved, personal devices used, recorded calls, etc. Toss in legal profession privilege and management forecasting exemptions and it can be a minefield.
Keep in mind that the law doesn’t say that all the data of third parties must be redacted. In some circumstances, it is reasonable to disclose the data of third parties without their consent.
Also, a data subject has the right to request their personal data; they don’t have the right to request specific documents.
What is a redaction?
A redaction is where some data in a document has been removed as it isn’t appropriate to disclose it to the data subject.
Can you help me with my subject access request?
We can definitely help you. We charge by the hour for how long it takes us to assess the data and make any redaction. We can tell you if any exemptions apply and what data does and doesn’t have to be disclosed.
How much will it cost for you to handle the SAR for me?
We charge by the hour for the time that it takes to read the material, assess any exemptions and make any appropriate redaction. We also write the mandatory Article 15 letter that goes with the material (see below).
The cost all depends on the volume of data and the complexity of the assessments and reductions. We can give you a quote once we’ve had chat with you and have seen what is involved with the SAR.
What’s in the Article 15 letter?
Article 15 of the UK GDPR says that the data subject, along with getting the information, must be told the following:
- confirmation as to whether or not personal data concerning him or her are being processed
- the purposes of the processing
- the categories of personal data concerned
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
- the right to lodge a complaint with the Commissioner
- where the personal data are not collected from the data subject, any available information as to their source
- the existence of automated decision-making
- where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer
SARs can be tricky – you can make a mistake if you disclose too little data or if you disclose too much. It’s wise not to ‘dabble’ with a SAR – the law on them is complex.
We can help with your SARs, every step of the way.