How to handle a Subject Access Request
An essential guide for business
- Under the GDPR regulation, Individuals have the right to ask you to tell them what personal information you are holding, including what, why, who (can access) and how long you’re holding it for. This known often know as a Subject Access Request or SAR.
- You have one month to respond to a Subject Access Request.
- You cannot charge a fee to deal with a request in most circumstances (but there are exceptions).
- People can ask verbally or in writing, either is good.
- You can response in whatever format you want, GDPR recommends self service (for larger firms).
What is personal information
You need to tell them
- The personal data (about them) that you have (you’re processing this info in GDPR speak).
- Why you have it (the purpose).
- The categories of data.
- The recipients (who can access it. If the data is sent out of the EEA you also have to explain how its protected).
- How long you’re keeping it.
- Reminder of their rights (including right to erasure, forget, and complain to government).
- Where the data was sourced from (if it was not direct from the individual).
- Any automated decision making or profiling that takes place.
Here’s a good process for handling Subject Access Requests
- Verify Identity (make sure it’s the right person and not a hacker!). Use data you already have, maybe a known email, phone number or address, or a question they will know. Asking for passport or ID documents here could be seen as too much.
- Get the data
- Redact the data if needed (to protect any other peoples personal data) – this means blacking out any names or details you cannot share, for example from a reference.
- Package data – (we think PDF is a good format).
- Add the details – see above ‘You need to tell them’.
- Provide the data – securely! We would recommend our free to use safedrop.com, or a password protected PDF. If you send the data just by plain email, you’re risking a data breach!