Managing Subject Access Requests

Managing Subject Access Requests

12 November 2018

Following the implementation of GDPR regulation on the 25th May 2018, a critical aspect of the new directive is an individuals right to access information that you hold on them.

But how is this possible if you don’t know what data you hold on them or where the data is held?

For some organisations, this is a massive challenge as they don’t have the resources or software to structure their data and as a result, difficulty in responding to such requests is prevalent even though the regulation came into force in May. So what happens if an individual contacts you and wants access to their data? You have one month to respond to the individual and present the data accordingly. If your organisation fails to comply with Subject Access Requests, this could expose you to receiving significant penalties and damage your reputation.

We have listed four steps that organisations need to address to manage subject access requests effectively.

1. Make sure the subject access request is valid.

The data subject will need to provide you with sufficient information to verify their identity for you to do the subject access request. All requests can be made verbally or in writing.

2. Calculate the target date for providing the relevant information to the data subject.

All organisations have to send the requested information within one month of the request. Depending on the circumstances and the request, it can take up to an additional two months. Businesses need to ensure that they adhere to target dates and sending the information in a timely manner otherwise they could potentially receive fines especially if they cannot evidence the audit trail. For less severe breaches, the maximum fine is €10 million or two percent of a company's annual revenue, whichever is greater and  for more severe breaches, the maximum fine is €20 million or four per cent of a company's annual revenue, whichever is greater.

3. Find relevant information.

This process can be difficult for organisations that don’t have complete control of their data. Companies often need to task employees to manually search through the email accounts of all employees, email archives, local hard drives, shared directories, SharePoint sites, Office 365 and hard copy documents. Depending on the size of your organisation and the number of employees that you have, this can be extremely time consuming and it would be worth considering the help of a third party to scan your data to identify Personal Identifiable Information.

4. Provide the data accordingly.

You should only disclose information which is about the data subject. Where a document contains personal data about a number of individuals, including the individual that has requested information; you should not disclose the information about the third parties. Ideally, send the requested information to the data subject in their preferred method of contact ie letter, email etc.

Are you one of the organisations that is currently worried about how to deal with any future subject access requests or have you received a subject access request but don’t actually know where to start looking for the information or how to deal with this? Help is at hand!

Talk to us today