The General Data Protection Regulation (GDPR for short) is made up of eight different principles that outline the guidelines relating to how personal data and information is collected and processed.
The GDPR was first enacted in May of 2018, in conjunction with the Data Protection Act (DPA.) As most data privacy savvy individuals know, with GDPR, it gives users the ability to request their data. Similarly to GDPR, the California Consumer Privacy Act (CCPA) also allows users to submit subject access requests.
So, what is a SAR?
A Subject Access Request (SAR) is an important facet of the GDPR, CCPA and likely future privacy laws, as it is what allows employees and individuals to both request and receive a copy of all the personal data that a company or organization has collected about them.
What else do you need to know about the SAR definition, and what information are you expected to provide? How can these access requests impact your company, and how can you properly manage these requests?
Keep on reading this post to find out.
Your Responsibilities When Receiving a Subject Access Request
If someone has sent your company a SAR, you need to ensure that you follow all the regulations to the letter to avoid potential fines, investigations, and other serious problems.
First, be aware that "personal data" refers to both digital and paper records. (Click here for a more complete definition of the term "personal data.")
When it comes to GDPR, you only have 30 days to reply to the Subject Access Request, and that 30-day window begins on the day that you receive the SAR. However, if the requests are especially complex, or if an individual has made many requests, you may be able to extend that deadline by a maximum of two months.
If your company plans to file such an extension, you must clearly outline and explain why you need the extension and inform the recipient that you are seeking an extension within a month of the initial SAR.
You are not allowed to charge any fees when providing an employee or individual with a copy of their SAR data. In rare cases, you may be able to charge a "reasonable fee" if the request is especially excessive or repetitive, such as if an individual requests multiple copies of their personal data.
You are also responsible for making sure that the individual receives a copy of their data in a standard format, or in a format that is agreed upon by the individual requesting to access data.
What Information Should a SAR Contain?
Now that you're more familiar with your basic SAR requirements as a company or organization, let's talk about what information you need to provide when someone requests to access info about the data you've collected on them.
You need to tell the individual making the request why the data was collected, how you processed their data, and who their personal data has been shared with.
You will also need to tell them how long you have had the data, and how much longer you plan to keep it. You are also obligated to inform an individual if their data was used to make an automated decision about them, and if their personal data has been used to make some sort of a profile about them.
Remember that, as of this writing, there aren't any existing guidelines/rules about how someone must make a Subject Access Request. So, an individual or employee may even be able to send your company an email saying something like, "I would like to know the personal data you've collected on me" -- and that counts as an SAR.
When You Do Not Have to Share Personal Data
In rare cases, your organization may not be required to provide an individual with a copy of the personal data you've collected about them.
If the information being requested could compromise someone else's identity, your company isn't required to share it with the person making a request. After all, it would be a violation of another person's privacy, as you'd essentially be sharing their personal data with another person without their knowledge.
Additionally, if the person who is making the request is currently the subject of a criminal investigation or the subject of an investigation regarding tax payments, you may not have to provide them with a copy of their data.
The same goes for any matters potentially involving national security, settlement negotiations, and management forecasting.
This is because having that kind of information could compromise the entire investigation. Be aware that, as of this writing, there isn't a set list of specific exemptions regarding when companies aren't required to provide an individual with a copy of their personal data.
As you can see, the regulations surrounding a SAR can get complicated incredibly quickly.
For this reason, many companies invest in privacy rights management software to help them to keep track of the requests and their responses to them.
Need Help Responding to a Subject Access Request?
We hope that this post has helped you to better understand what a Subject Access Request is, as well as grasp the responsibilities and potential exemptions that you are required to follow and provide as a company and employer.
Are you interested in automating and scaling the way your company approaches privacy rights management? Need to future-proof the way you approach data collection, privacy, responses to Subject Access Requests, and more?
The Truyo platform is able to help with all that and more.
Reach out to us today to request your free demo.
We look forward to showing you how our software can eliminate operational overload, protect your customers, and help you to sleep better at night knowing your company's privacy rights management is in good hands.