GDPR: Subject Access Requests

The Covid-19 pandemic will certainly have impacted the way the ICO has been able to exercise its powers since the inception of GDPR and the post Brexit changes. However, the ICO continues to enforce and make examples of organisations that fail to adhere to data protection legislation.

Under the Data Protection Act and GDPR regulations, users have the right to make a Subject Access Request to receive a copy of their personal data and information. Today, we consider the importance and legal requirements for a business to respond to a subject access request, and the consequences of any failure to do so. 

What is a Subject Access Request (SAR)?

A subject access request (SAR) is an important facet of UK GDPR and the Data Protection Act 2018 and allows individuals to submit a request to an organisation to share what personal information is being held by that organisation about them.

There is no prescribed method on how this can be accomplished, i.e. verbally, by email or by electronic means, so organisations should not disregard the various methods that such a request can be made and ensure they have a process in place if this does occur.

Individuals are legally entitled to know whether the organisation is processing their data, for what purpose and to request a copy of that information. As part of the request, the individual can also ask for supplementary information such as what mandatory privacy information is also in place.

How long do you have to respond to a Subject Access Request?

An organisation is legally required to respond to a SAR without undue delay and within one month of such a request. The response should be clear and concise and not misleading in any way. If the response is likely to be complex, it would not be unreasonable to ask for an extension of up to 2 months from the individual making the request.

What are the consequences of not responding to an SAR?

As stated above, there are legal requirements for organisations to address an SAR and how this is responded to, which if they fail to adhere to, the ICO may take action against them with a range of different consequences.

The Information Commissioner’s Office (ICO) has recently taken action against 7 organisations who have failed to respond to the public when asked for personal information held about them, i.e. an SAR.

The investigation by the ICO found that the 7 organisations, across both the public and private sector repeatedly failed to respond to the requests and meet the required deadlines. This resulted in regulatory action, including reprimands as well as practice recommendations.

The consequences of failing to respond to the SARs in a timely way and in line with the legal requirements have meant that those organisations not only faced reprimands from the ICO, but it also put them under the radar of the ICO moving forward.

SAR key takeaways and advice:

• Businesses need to have in place good procedures for dealing with SARs and diarised acknowledgments so they can monitor the timelines effectively.
• Staff should be trained properly to respond to SARs.
• The ICO is not afraid to hand out consequences to those that fail to adhere to the data protection legislation.
• Further investigations by the ICO could be carried out including a compliance audit.
• Any adverse findings by the ICO could give rise to a civil claim by individuals for compensation against your organisation, if you fail to meet the deadlines.

Specialist legal advice and guidance 

Our expert team of solicitors can assist your organisation in ensuring that it is compliant with all relevant legislation including GDPR and the data protection laws.

Get in touch with a member of the team today or find out more about our range  of GDPR legal services, including:

• Data audits
• Advising on data protection impact assessments
• Drafting key policies and processes
• Drafting data processing and data sharing agreements
• Advising on data compliance and data protection laws, and how they may affect your business
• Risk management strategies
• Disputes on data protection issues
• Advising on cross border data flows / transfers
• Organisational training
• FOI Requests
• Personal data breaches and breach notifications