Table of Contents
Many business owners in England know the risks of mishandling Subject Access Requests (SAR). In recent years, an increasing number of individuals and employees are seeking SARs to extract information from organisations, often to pursue legal action. The General Data Protection Regulation (GDPR) has rules governing how your organisation should correctly handle these requests. Failure to do so may result in the Information Commissioner’s Office (ICO) investigating your company and fining you. This article will explore the advantages of using an experienced lawyer to help your business handle and process Subject Access Requests in England.
What is a Subject Access Request?
A Subject Access Request (SAR) is a request from an individual (usually in writing) for a copy of all information held about them. Some SARs are specific, for example, asking for all emails mentioning them by name during a particular period. On the other hand, some are more general, for example, asking for all personal data relating to them during their entire time with an employer. However detailed the SAR, the same rules apply to your organisation.
These rules include:
- the individual should receive a copy of the data requested in digital or printed form;
- your organisation must provide the information within one calendar month of receiving the request (with limited exceptions); and
- you should inform the individual of any other party who has received that data.
Previously, businesses in England were able to request a small fee (of £10) to process a SAR. However, today, the GDPR no longer allows this (with limited exceptions). Although handling a SAR appears straightforward, many businesses face significant issues and can benefit from seeking legal assistance.
Let us explore some of the main advantages of doing so below.
Ensuring Correct Correspondence
One of a company’s main tasks when receiving a SAR is to ensure regular and accurate correspondence with the individual. This could include:
- a letter or email acknowledging receipt of the SAR;
- a written request for further information to help carry out the SAR;
- any update letter confirming the progress of the SAR; and
- correspondence enclosing SAR materials (and explaining the reasoning for withholding any information).
Some of these letters require personalisation, where a lawyer’s drafting skills and knowledge of GDPR rules will be essential.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Knowledge of When to Request Further Information
Before responding to a SAR, you must ensure your company has enough information to comply with it. Many individuals ask for a copy of ‘all information held about me’ when, in reality, they have a core purpose that requires far fewer materials. By narrowing the scope of information to process, you can save time and effort for your business.
It may be advisable to send a tailored letter to the individual requesting further details regard their SAR. Accordingly, an experienced lawyer can:
- offer detailed advice;
- draft any relevant letter; and
- ensure your company does not spend too much time or effort searching for materials.
Advice on the Correct Redaction of Data
It is essential only to provide relevant information relating to that individual and to not accidentally disclose personal data relating to others. A lawyer can advise your company on:
- which parts of data your company should not disclose;
- which parts should be redacted (a process that blanks out irrelevant information using black bars); and
- which documents your company should not mention due to ‘legal advice privilege’ (which protects legal advice given to your company by its lawyer).
Disclosing incorrect information or failing to disclose enough information can constitute a breach of the GDPR. Therefore, it is vital to know which documents you should and should not provide to the individual.
Extending the SAR Deadline
There are certain circumstances in which your organisation can spend more than one calendar month responding to a SAR. However, the GDPR limits your company to specific situations and requires you to provide the individual with written reasons for doing so.
An experienced lawyer will be able to advise you on the meaning of ‘complex’. Furthermore, they can advise whether your company is eligible to extend the one month deadline. This is particularly important as claiming you have an extension when you do not is a breach of the GDPR. Furthermore, such an error is likely to result in an ICO penalty.
Key Takeaways
While using a lawyer is not mandatory, obtaining legal advice on subject access requests can ensure that your business meets its legal obligations. After all, if your organisation handles a SAR poorly, you may face an irate individual and a potential ICO investigation.
If you need help handling subject access requests, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
One reason is that the GDPR contains many rules governing SARs, of which many lawyers have a detailed understanding. Experienced lawyers are also aware of the safe limits of various exemptions and when the ICO may criticise the approach of a business (and consider imposing a fine). In addition, an expert lawyer will be able to handle all aspects of the SAR process, including acknowledgement of receipt, advising on the search and any redaction and sending relevant letters and materials.
No, your company has no exemption simply due to that individual considering legal action. In fact, there would be a greater emphasis on your organisation complying with the SAR, and any attempt not to may be viewed as vindictive by the ICO or any future Employment Tribunal).
We appreciate your feedback – your submission has been successfully received.
