Subject Access Requests (SARs) and Citizen’s rights

The GDPR grants all EU citizens the right to access the personal data that an organisation holds about them and the way in which that organisation processes that data, the citizen accomplishes this by sending a subject access request to the organisation.

Using a subject access request or SAR, citizens have the right:

  • to rectify or correct their data
  • to erase their data
  • to restrict the processing of their data
  • to be notified regarding the rectification or erasure of personal data or the restriction of processing
  • to request their data to be portable
  • to know the source of the data
  • to know to whom the data has been disclosed
  • to learn the purpose of processing of their data
  • to learn whether that data is being used for automatic decision making
Data subject access request

Subject Access Request – are you ready?

SAR’s may be submitted to anyone in an organisation, from the Receptionist to the CEO, by e-mail, in writing or verbally, accompanied by proof of subject identification, such as an e-mail address or other evidence that verifies and corresponds with the data subject. The administrative cost of responding to a SAR is borne by the organisation, unless the request is repeated or “manifestly unfounded or excessive”.

Staff should be able to recognise a SAR, even when it is delivered through an alternative communications channel such as social media.

The Information Commissioner’s Office confirms that ‘individuals may make a SAR using any Facebook page or Twitter account used by an organisation, other social-media sites to which it subscribes, or possibly via third-party website organisations’. Consequently, an organisation needs to be trained and vigilant in order to receive and manage SAR’s.

The ICO suggests that organisations can steer people to submitting SAR’s through a particular communications channel, such as “SAR@organisation.com”, but ‘may not insist on the use of a particular means of delivery for a SAR’.

Individuals can also request a copy of their personal data, to which organisations must respond within a calendar month unless there is good reason to either deny the response or extend the response timeframe. There are many reasons why a company may refuse to provide complete or partial information, which may include confidential references, financial settlements, legal proceedings or management information which if disclosed, could prejudice the organisation. Either way, the data subject must be informed of these actions within the calendar month.

Individuals also have the right to be informed about the rights they have. These include the right to correction or erasure of personal data that is being processed, the right to object to and restrict the processing and the possibility to lodge a complaint with supervisory authorities.

Subject Access Requests are the number one data protection issue complained about by the public

According to the ICO’s own official statistics, mishandling of SARs is the number one data protection issue complained about by the public. In 2016, 42% of the more than 18,000 data protection-related complaints lodged with the ICO concerned individuals’ rights to access their personal data held by organisations.

A failure to meet the deadline or provide employees with access to all the data they request could expose employers to significant penalties. Indeed, the ICO has a range of enforcement tools available to it under the GDPR, including issuing warnings, reprimands, ordering compliance and imposing large fines.

In order to comply with SAR’s, EU organisations will need to have structured and mapped the subject data that they hold, enabling them to respond in time and in full. This will include keeping tabs on all the systems where personal data is held – this is in line with the new obligation under the GDPR to keep records of processing activities (Article 30). This can cover hardcopy documents as well as information stored electronically such as emails, text messages and spreadsheets. 

The GDPR Data Mapper will provide the following SAR management features in the June 2018 release.

  • The ability to receive data subject access requests
  • Using the data mapper part of the app, discover where the data of a data subject category resides
  • Cross-check the legality of the request
  • Track the request through to completion
  • Report and alert on the length of time remaining until the time to manage the request expires
  • Provide management reports useful for ICO Auditors