What is a subject access request?

Guidance for both individuals and companies on how a data request should be processed

Harvesting data from a laptop

With seemingly everything and everyone collecting data through all manner of means, companies and online services now have a lot of information on individuals, whether it's detailed data or aggregate information.

For many businesses, this is the trade-off for providing free services, as is the case with social media companies and search tools like Google. However, regardless of how you collect data, or how much of it you store, you may have to deal with a subject access request (SAR) from time to time, particularly at a time when subjects are highly conscious of their data rights.

What is a subject access request (SAR)?

Every data subject has the 'right of access', which forms a fundamental part of data protection law across the world, and is a core tenant of the European Union's Charter of Fundamental Rights. This gives each data subject the right to known whether an organisation is storing or processing their personal data, a right that is usually exercised through a subject access request.

Using an SAR, an individual can request to see a copy of their data, as well as details on why that data is being processed, what type of data it is, the recipients of that data, how long it's stored, how the data was collected, and evidence to show that the data is being appropriately safeguarded.

Unlike the Data Protection Act 1998, which allowed companies to charge up to 10 per SAR request, the General Data Protection Regulation requires all organisations to accommodate SARs for free, however, if the request is considered to be 'manifestly unfounded or excessive', they can charge reasonable admin fees.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

It's therefore advisable for individuals to be specific in the data they are requesting. For example, a reasonable request might be to see a copy of CCTV footage from X location on Y date, during the hours of 13:00 and 16:00 - rather than asking for a month's worth of footage.

As such, companies should ensure that the data they collect is stored safely and in an easily manageable format, thereby ensuring they are GDPR compliant and can facilitate subject access requests with relative ease. Having these processes in place will prevent an organisation coming under fire from public complaints, as the Information Commissioner's Office's official statistics show that the mishandling of subject access requests was the most complained about data protection issues by the public in 2016.

If a company or organisation is unable to fulfil a request, an individual has the right to make a complaint to the ICO.

How to make a subject access request

Making a subject access request is a fairly straightforward process but requires a few steps to be followed.

In the absence of specific criteria under GDPR, access requests can currently be made either in writing, through a letter or an email, or verbally (We'd recommend email because most businesses taking GDPR seriously will have policies in place that will want to record all SARs). These can simply instruct an organisation to provide all the information it holds on you that it's required to disclose under the Data Protection Act 2018 and GDPR.

Advertisement - Article continues below

GDPR does recommend that companies have a standardised form in place to make it easier for data subjects to submit a request, however, even if this exists, an individual's submission will still be valid if made through another means.

Any employee of an organisation may receive a valid subject access request, although it's the responsibility of the company to ensure any such requests are processed. This may require additional staff training for those that are regularly in contact with data subjects. Most individuals will likely contact the marketing or data department specifically to ensure a quicker response.

For an individual submitting a subject access request, the first step is to find out the most relevant department or person in an organisation to submit a request to. After that, it's worth making sure you have a clear idea of all the information you wish to receive through the request.

When submitting the request, ensure you have all your relevant details in the letter or email, such as full name, contact number, and address, as well as any information that will help a company match up your request with your data.

It's also worth noting that under GDPR, an organisation has a month to comply with the request, so do provide a reference date to ensure that happens.

Advertisement
Advertisement - Article continues below

As some companies are still getting used to the switch to GDPR, it's also worth highlighting to the company that you have the right to make the request for free, to prevent any confusion further down the line. A SAR template is provided on the ICO's website.

Advertisement - Article continues below

For companies and individuals handling subject access requests, it's worth being aware of these steps to ensure the requests are fulfilled in a timely manner in order to avoid any action from the ICO. In terms of time limits, the ICO guidance states: "In most cases, you must respond to a subject access request promptly and in any event within 40 calendar days of receiving it." 

How requests should be fulfilled

Organisations have one month to respond to a SAR without notice. However, if an organisation needs extra time to consider a request, this can be extended to three months from the date of the initial request, although it is required to inform the subject as to the reasoning for this delay.

Organisations must ensure that any data provided to a subject is in a commonly used electronic format, unless the individual requests otherwise. GDPR recommends that companies set up a self-service system that grants individuals remote access to a copy of the data, although this isn't compulsory.

All data should be in a concise, transparent, and easily accessible form that's written in plain English and that's capable of being understood by the average person.

If the individual requests a large volume of data then the company may ask for more information in order to narrow its scope. In this instance, the period for fulfilling the request will start from the date more information is provided.

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now
Advertisement

Recommended

Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/hardware/354193/buy-it-to-grow-not-slow-your-business
Sponsored

Buy IT to grow, not slow, your business

25 Nov 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/security/antivirus/354328/microsoft-to-scrap-security-essentials-when-windows-7-reaches-end-of-life
antivirus

Microsoft to scrap Security Essentials when Windows 7 reaches end-of-life

13 Dec 2019