Subject access requests (SARs) – The need for education and centralised processes
In a previous blog, we looked at the importance of an organisation establishing a tried and tested subject access request (SAR) response process. Having a well-drilled team following
a clearly defined process is all well and good but will be largely redundant if SARs received across the organisation are not getting through to your dedicated individual or team.
We have come across numerous examples of SARs being received by individuals who are not aware of their significance and, as such, the requests are either ignored or assigned to the
‘to do’ file or drawer. In this blog, we will discuss the importance of ensuring that your whole organisation can identify a SAR and the benefits of controlling the entry points of SARs and creating a centralised SAR process.
One of the biggest challenges we all face is the fact that SARs often arrive in the organisation without any clear explicit indication that they are actually a SAR! The Information Commissioner’s Office (ICO), which has released some useful guidance on the best approaches to responding to a SAR, confirms that neither the phrase ‘subject access request’ or
Article 15 (GDPR) have to be referred to in an information request in order to constitute a SAR. It also confirms that a request can be made either verbally or in writing, which effectively means that a SAR can be received in various forms and by a multitude of individuals across your organisation. Let’s start by looking at the identification conundrum.
Identifying a SAR
It is vital that all of your staff understand what a SAR is, so they can quickly identify when one has been received. It is likely that your staff have received some basic training on data protection and their responsibilities, but they may still be unsure of what a SAR is. They will know what personal data is, so it is important that they also know that any individual can request their personal data at any time and in any form (verbal or written).
A pop-up session or bite-size training module on SAR identification is highly recommended to re-affirm this message to your staff. All staff need to be aware of the dedicated team or individual in your organisation who are responsible for responding to SARs.
Most importantly, they need to be made aware of the need to pass any request for information promptly to the assigned individual/s who can then review, acknowledge, investigate and respond accordingly. It is essential that staff are made aware that they should not attempt to respond to the SAR themselves.
It is highly likely that some requests may be forwarded to your data protection specialist/s which are not in fact SARs, but it should be left to your specialists to make that assessment.
Controlling entry points of SARS
Whilst it is possible that SARs can be received across the organisation, there are measures that you can take to try and limit or control the entry points. Your customer services team is likely to be a first port of call (both emails and calls) for customers wishing to exercise their right to access personal data (under Article 15). As such, the training of these front-line staff should be prioritised so they can forward all data protection related queries promptly to the appropriate people.
Setting up and promoting a dedicated email inbox to manage DP-related queries will also help filter requests coming into your organisation. Customer, suppliers and other external third parties will appreciate having a dedicated data protection @ address rather than sending mails in speculatively to individuals where there is a greater probability of things getting lost or delayed. A dedicated email address also helps in maintaining a log or register of requests.
Benefits of a centralised process
Maintaining a centralised process is not only important in the identification of SARs and tracking requests you have received, but also in ensuring the most appropriate response is received. Responding to a SAR requires specialist knowledge to ensure that you minimise further risks to your organisation. The DP specialist/s will know exactly what must be included in a response (see our top tips for handling SARs) and by when.
There are various nuances to consider when sharing personal information (and when not to share!) particularly in protecting individuals’ personal information and freedoms. Many documents will need to have specific information redacted before they can be disclosed, and this requires trained and skilled specialists to carry out this process before a SAR can be responded to. A central register will also help you identify any ‘serial requesters’ who have sent in multiple SARs or where requests have been denied in the past.
To sum up, the key starting point in any SAR process is to quickly identify that a request for information is actually a SAR! A trained workforce that is knowledgeable of your organisation’s data protection obligations and understands exactly what to do when they receive a request (i.e. they know who responds to these requests) will speed up the response times and improve the quality of the response your organisation provides.
In doing so, you will maintain the goodwill of the individuals requesting information and also keep the ICO from knocking on your door for failing to meet your obligations!
URM’s fully qualified team of consultants has a deep knowledge of data protection legislation, not just of the legalities and the security principle via our ISO 27001 services, but around all of the GDPR’s principles, gained through working with our clients on practical business implementation over the last 15 years.