Responding to a Subject Access Request (SAR)
Any individual can make a Subject Access Request (SAR) under the General Data Protection Regulation 2016/679 (GDPR) to any organisation (data controller) that holds his or her personal data. Since the introduction of the GDPR, an increasing number of individuals are exercising their right to request information from organisations and other data subject rights.
Responding to a SAR
It is important for a company to ascertain all the various sources where personal data is held and to ensure that their data systems are easily searchable in order that responses to SARs can be managed efficiently. Businesses should be aware that the time limit for responding to SARs is one month and ensure that their procedures enable them to respond to the request within this timescale. The SAR needs to be assessed to consider whether any exemptions may apply and whether any personal data may be withheld.
You may need to take specialist legal advice upon receipt of a SAR. Poor compliance can be a source of significant risk to a company’s reputation and may undermine customer confidence. Failure to comply may also result in enforcement action and / or civil claims against your company including significant monetary penalties.
BDB Pitmans’ data protection team
Our team provides practical and tailored advice in connection with SARs and other data subject requests made under the GDPR. We can help organisations address these requests properly, including:
- Business specific training on SARs
- Drafting internal policies for dealing with SARs
- Responding to a SAR and the provision of personal data in response to a request
- Advice on the content and validity of specific SARs
- Document review
- Responding to investigations by the Information Commissioner
Our recent subject access request work includes:
- Advising a charity on a SAR made by a former charity trustee
- Advising a property investment company on a SAR made by a former employee
- Advising a Data Processor on a SAR received in relation to personal data it was processing on behalf of a Data Controller