For some organisations, this is a massive challenge as they don’t have the resources or software to structure their data and as a result, difficulty in responding to such requests is prevalent even though the regulation came into force in May. So what happens if an individual contacts you and wants access to their data? You have one month to respond to the individual and present the data accordingly. If your organisation fails to comply with Subject Access Requests, this could expose you to receiving significant penalties and damage your reputation.
We have listed four steps that organisations need to address to manage subject access requests effectively.
1. Make sure the subject access request is valid.
The data subject will need to provide you with sufficient information to verify their identity for you to do the subject access request. All requests can be made verbally or in writing.
2. Calculate the target date for providing the relevant information to the data subject.
All organisations have to send the requested information within one month of the request. Depending on the circumstances and the request, it can take up to an additional two months. Businesses need to ensure that they adhere to target dates and sending the information in a timely manner otherwise they could potentially receive fines especially if they cannot evidence the audit trail. For less severe breaches, the maximum fine is €10 million or two percent of a company's annual revenue, whichever is greater and for more severe breaches, the maximum fine is €20 million or four per cent of a company's annual revenue, whichever is greater.
3. Find relevant information.
This process can be difficult for organisations that don’t have complete control of their data. Companies often need to task employees to manually search through the email accounts of all employees, email archives, local hard drives, shared directories, SharePoint sites, Office 365 and hard copy documents. Depending on the size of your organisation and the number of employees that you have, this can be extremely time consuming and it would be worth considering the help of a third party to scan your data to identify Personal Identifiable Information.
4. Provide the data accordingly.
You should only disclose information which is about the data subject. Where a document contains personal data about a number of individuals, including the individual that has requested information; you should not disclose the information about the third parties. Ideally, send the requested information to the data subject in their preferred method of contact ie letter, email etc.