As a start-up or small business, it's essential to understand how to handle Subject Access Requests (SARs). Also known as a Data Subject Access Request (DSAR), this process allows individuals to determine what personal information your business holds about them.
While answering these requests can be daunting, answering them promptly and adequately is essential to ensuring that your business complies with the requirements set out by data protection laws such as the UK and EU GDPR and that it avoids a complaint with the ICO and the relevant data protection agencies across the EU.
This step-by-step guide has been designed to take you through exactly what you need to do to handle your organisation's Subject Access Requests as straightforwardly as possible whether you’re located in the UK or the EU.
What is a data subject access request (SAR)?
A data subject access request (SAR) is a right granted to individuals in the UK and EU under the General Data Protection Regulation (GDPR). SARs allow people to ask an organisation which holds data about them what data they have, why it's being processed, and provide them, if applicable, with a copy of this information.
Anyone can make a subject access request, and regardless of how the request is made, it is your organisation's responsibility to answer promptly. Should a requester ask for a copy of the personal information your organisation holds about them, you're also required to provide information as to why you've processed their data, how it was processed and with whom it has been shared.
A couple of things to do before answering a SAR (we promise these will make your life much easier in the future!)
If you're a small business or a start-up, the information you'll need to answer a SAR likely sits in quite a few different places. If you haven't, now is the time to start auditing the systems where your organisation collects, holds and processes personal data.
You may be surprised by platforms you no longer use, which might still store data about your customers. Doing this will ensure you know exactly where to go the next time your organisation receives a SAR.
If this is the first time you're answering a Subject Access Request, note down how you went about this. Firstly, it is required that you keep a detailed paper trail of the steps you took to answer the SAR. Additionally, this will now be the start of your formalised SAR process.
Organisations have a calendar month to respond to Subject Access Request or be liable to receive a complaint with the your country's data protection agency. That means if the person who usually deals with these is off for 14 days, you'll still only have two weeks to complete the request. A formalised process of how your organisation deals with SARs will ensure other members of your team can respond if necessary.
How to answer a Subject Access Request: A step by step guide.
Confirm you're dealing with the right person
Before disclosing any personal information, you must confirm the identity of the person making the request. Ask for something only they would know, but you can verify such as account numbers, the date they signed up for your service or their subscription details.
If your service is provided entirely online, there's a good chance you won't know what your customers look like. For that reason, automatically asking for a photo ID might be an inappropriate way to ask for someone's identity. If the request was made by someone you know, such as a current or previous employee, requesting proof might not be necessary, but note this down as part of your paper trail.
Be prepared to act swiftly.
As mentioned above, you have a calendar month to reply to a subject access request. It's important to note that this doesn't mean 30 days - if you receive a SAR on the 31st of January, you need to reply by the 28th of February.
In order to avoid missing any potential deadlines, it's best to work towards a timeframe of 4 weeks (28 days). Some exceptions exist to the calendar month rule, for example, if the request is very complex. Still, you must inform the requester of delays within the initial calendar month deadline.
Double-check you're clear on what they're requesting.
Confirm with the requester the information they are asking for if you can. While you might think they're asking for every piece of information you have about them, they may be requesting something very specific. You might find that it saves you quite a bit of time.
Get ready to search.
Check your systems, platforms, notes and devices to find the requested information. If applicable, go beyond CRM systems, and check collaboration tools, support systems, email clients and paper files. If you record sales or customer meetings, review these too. Once you're satisfied that there is nowhere else to look, you can refine this information to what the requester has asked to see.
Start-ups and SMEs across the UK and Europe are saving hundreds of hours by letting Naq automate their Subject Access Request Process. Click here to find out how.
Make sure you're only disclosing the requester's data.
Carefully review the data you've collected to ensure that 1) it is what the requester has asked for and 2) that it does not disclose the personal information of another person. This is often an issue when disclosing email threads containing multiple people's email addresses. If this applies to your case, you can redact the email addresses of the other persons within the email thread. If, however, the email contains information that could disclose another person's identity, you need to weigh up whether it's reasonable to share this information.
For example, suppose a previous employee makes a Subject Access Request, asking for any email containing their personal data.As you review your organisation's email accounts, you notice the details of a complaint made by another employee against the requester. If the details of the complaint could lead to the loss of someone's anonymity, you need to carefully consider whether this could, in turn, impact another individual.
Get all the information together and get ready to send
As previously mentioned, along with the requested information, you'll also need to disclose how you collected, processed and stored this data. Under the UK-GDPR, it is required by law to be transparent about how your organisation processes personal information, how long you plan on keeping it and how individuals can ensure it is deleted from your systems. If you're UK or EU GDPR compliant, your data, privacy and cookie policies will include all of this information.
If you're not yet compliant, take a look at how we're helping hundreds accelerate their growth by automating their compliance with frameworks such as UK & EU GDPR, ISO27001 and cyber essentials.
Send the requested information in a secure manner.
Remember, you're still handling personal information, so this data must be handled securely. If sending the information via email, consider using a secure file-sharing system instead of opting for an attachment. File-sharing systems can allow you to "password protect" files, ensuring only the person making the request can access this information.
Keep a record of this entire process.
An essential part of answering Subject Access Requests is creating a clear paper trail outlining the steps and time your organisation took to reply to the request. Maintaining a record of how you respond to requests will ensure you have something to reference should the requester be unhappy with the information you've provided. As mentioned at the top of this blog, this paper trail can also act as your starting point for a clear and consistent process for handling subject data requests across your business.
So there we have it, a step-by-step guide for answering Subject Access Requests. If the request you've received is particularly complex, feel free to reach out to a member of the Naq team who will be able to provide you with more detailed guidance on how to deal with your SAR appropriately.
For more helpful data compliance tips, subscribe to our monthly newsletter, packed with information, guides and how-tos on how to make your organisation's compliance a breeze.