Apr 19
How to manage subject access requests

How to manage subject access requests

In the digital age, processing of personal data has become widespread and it is increasingly difficult for individuals to understand how their personal data is being processed. In order to protect data subjects, the GDPR has granted them several rights, one of which is the right to access. Data subjects can exercise their rights by submitting requests to your organization.

The “Right to Access” is one of the most exercised rights in practice. According to a survey, 71 per cent of EU firms have received data subject requests from their staff since the introduction of GDPR, and 67 per cent had to increase their expenditure levels in order to process these requests. That poses a big challenge for organisations, since acting ad hoc quickly becomes expensive. When it comes to subject requests, the rule of thumb is the old saying fail to prepare, means preparing to fail. And what does that actually mean? Be proactive! In this post, we will give you some tips and guidance on how you can prepare. 

What is the right to access?

The right to access grants individuals  the right to obtain the following from a controller:

  • a confirmation that you are processing their personal data;
  • a copy of their personal data
  • other supplementary information

Individuals can exercise their right to access by submitting a Subject Access Request, commonly known as a SAR.

Who can submit a subject access request?

That can be anyone whose personal data your organisation is processing. For example, it can be a member of your staff, an ex-employee, an unsuccessful job applicant or a customer of yours. Based on surveys, the data categories most likely to submit a request are employees and customers. 

Before the request – be proactive!

The more prepared you are before you receive a request – i.e., you have documentation and procedures in place – the easier it will be for you to respond. All of the following points can actually help you prepare for any subject request. Let’s see what those might be:

1. Record of Processing Activities/Data mapping 

In order to respond to a request, you need to understand what personal data your company collects, how it is used and shared, and where it is stored by the company and any third parties. The GDPR requires that most organisations shall keep a Record of Processing Activities (often referred to as RoPA or Article 30 documentation). Your RoPA will provide you with a clear understanding of what information is held and where it is, and can be used as a map to help you navigate into your databases and help you respond to a request more rapidly and effectively. The more updated documentation you have, the easier it will be for you to respond to subject requests.

2. Establish a preferred channel for receiving subject access requests

Another way to be more prepared and proactive is to decide whether or not to establish a preferred channel for receiving subject requests. This could be a standard form, a portal, or an internal email address. Just keep in mind that it is not mandatory for data subjects to send you their request via these preferred channels, as they are a means to facilitate you managing requests in a more centralised way. As a data controller, you must respond to every access request of the data subject, in any form you receive them. For example, if you have a web form but a data subject calls you and asks for a copy of their data, you can’t ignore the request just because you have set forth a preferred channel. If you establish a preferred channel, make sure you update your privacy policy and privacy notice so that data subjects can easily find your preferred channel.

3. Policies and procedures 

Create a robust policy and procedures that cover all types of requests from individuals.  As the time limits to respond to subject requests are tight – you only have one month – having a subject request policy and procedure in place will help you be proactive. In this policy, you should distribute responsibilities to indicate who is internally responsible to handle the requests, and set procedures in place about how employees shall escalate a request. 

4. Training

The GDPR does not require the subject request to have a specific form – it can be submitted verbally or in writing. It can also be submitted to any part of the organisation (including an email, social media, or during a phone call with a salesperson) and does not have to be to a specific person or contact point. For instance, a data subject can pose the request during a phone call, via email or even by social media. A request does not have to be made in a formal fashion – what is important is that the individual is asking for an action regarding their own personal data. This presents a challenge as any employee could receive a valid request. That’s why it is really important to train your staff  appropriately. Basic GDPR training and training on how to recognise a subject request, in general, is not adequate. You need to train your staff about your established subject request policies and procedures. Employees need to know how to escalate a subject access request and who is responsible internally to take an action.

I received a subject access request – what’s next?

Before you respond, there are certain things you need to check:

1. Identify the individual

Before you disclose any personal data, you have to be sure about the ID of the data subject. Is the data subject who she/he claims to be? Because you certainly don’t want to disclose personal data to a third person (a person that is not the data subject whose personal data are requested), because that would be a data breach! Authentication in an online environment can be challenging, so if you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are – the key here is proportionality.  

Have in mind though that another person is allowed to submit a subject request on the behalf of a data subject. There could be a case where a lawyer is acting on the behalf of his/her client, or a parent is asking for their child’s personal data, or a data subject just feels more comfortable having somebody else acting for them for personal reasons. In these cases, as long as the third party provides evidence of this entitlement, such as a written authority or a general power of attorney, you can respond to the third party. However, if there is no such evidence you are not required to respond to the subject request. How are you gonna do the identification? Use the data you have rather than asking for more new data. If the data subject has an account with your organisation, it would be proportional to ask them to log in and make the request through their account. If the request is made via telephone, you can ask questions regarding information that data subjects have already shared with you. Keep in mind here that you are obliged to comply with the Principle of Data Minimization (for further information check article 5 of GDPR). If you need more information to verify the identity of the data subject, let them know as soon as possible. The one-month deadline for responding to the request will start once you receive the additional information.

2. Should you respond?

In some cases, you are not able to respond to a subject request. But why would you confront this problem? Well, you should not respond if the subject request is “manifestly unfounded or is excessive”. A request may be manifestly unfounded if the individual has no clear intention to access the information or is malicious in intent and is using the request to harass an organisation with no real purpose other than to cause disruption. A request may be excessive if it repeats the substance of previous requests and a reasonable interval has not passed. If you do decide that the subject request is manifestly unfounded or excessive, you can choose not to respond to it. In any case, you should be able to justify your decision and inform the data subject about it.

3. Can you charge a fee?

In most circumstances, you should give the data subject a copy of your information free of charge. However, you can charge a reasonable fee to cover your administrative cost. You can also charge a fee if you ask for further copies of your information following a request. If you choose to do so, you must inform the data subject immediately and you can comply with the subject request once the fee has been paid.  

4. Set and record a procedure

Make sure that you include a procedure for recording the requests you receive and the responses to those requests. This procedure will help you to avoid later disputes on whether you have misinterpreted their request or not and in case a data subject submits a complaint with a data protection authority.  

The response 

Your response will depend on the peculiarities of the request. Meaning, if a data subject asks for a copy of all the personal data you hold on her/him, you have to give this copy. To fulfil the request, a data protection officer or administrator must find every single piece of information about that person in accordance with the parameters specified in the request. It makes no difference if the information consists of structured or unstructured data. Searching for this information may mean logging onto various central systems and/or looking through piles of papers as well as having to ask individual employees if they have digital or physical records of anything mentioning the requestor. That data then needs to be organised and redacted or shared as required, all of which takes a huge amount of time and effort. Of course, this procedure will take time, and don’t forget that the clock is ticking. 

After you gather all the information, you should send them back to the data subject. The disclosed information could be in the form of photos, an email/chat content, a voice recording, CCTV footage, a CD etc.  If an individual makes a request electronically, for example, it is preferred that you provide the information in a commonly used electronic format, unless the individual requests otherwise. When deciding what format to use, you should consider both the circumstances of the particular request and whether the individual has the ability to access the data you provide in that format. 

What should we do if the subject access request involves information about other individuals?

Something that is important and is relevant when a data subject exercises their right to access their personal data, is the case when responding to this particular subject request may involve providing information that relates both to the data subject and to another individual e.g. if you have to share surveillance camera footage. The GDPR does not specify what happens in this case, but it is recommended that you disguise all the personal data that does not concern the data subject who made the request. If this is not possible then seek the consent of the other individual or consider whether it is reasonable to comply with the request without that individual’s consent. 

In conclusion, responding to subject requests requires a careful understanding of what personal data you store. You may have to appoint certain policies to make sure you respond to subject requests appropriately and be able to defend yourself if you’re ever brought before regulators. The best practice to respond to a subject request is to be and act proactively – that’s the key to success for a data controller.