What is a subject access request?

Harvesting data from a laptop

With seemingly everything and everyone collecting data through all manner of means, companies and online services now have a lot of information on individuals, whether it's detailed data or aggregate information.

For a number of organisations, this is the trade-off for providing a free service to users, which is the case for search tools like Google and social media companies. Despite this, no matter how you collect data, or how much you store, you might one day receive a subject access request (SAR), especially as users are becoming more conscious of their rights when it comes to data.

What is a subject access request (SAR)?

A fundamental part of many data protection laws across the world is the ‘right of access’ which every data subject has. This is a core tenant of the European Union’s Charter of Fundamental Rights. It gives each data subject the right to know when an organisation is processing or storing any of their personal data. This right is usually exercised through a subject access request.

Through a SAR, an individual can ask to see a copy of their data, as well as information on what type of data it is, why that data is being processed, how long it’s stored, the recipients of that data, how the data was gathered, and evidence to show that it is being appropriately safeguarded.

In contrast to the Data Protection Act 1998, which allowed businesses to charge up to £10 per SAR request, the General Data Protection Regulation requires all companies to accommodate SARs for free. Despite this, if the request is seen as being ‘manifestly unfounded or excessive', they are able to charge reasonable admin fees.

It's therefore advisable for individuals to be specific in the data they are requesting. For example, a reasonable request might be to see a copy of CCTV footage from X location on Y date, during the hours of 13:00 and 16:00 - rather than asking for a month's worth of footage.

As such, companies should ensure that the data they collect is stored safely and in an easily manageable format, thereby ensuring they are GDPR compliant and can facilitate subject access requests with relative ease. Having these processes in place will prevent an organisation from coming under fire from public complaints - as the Information Commissioner's Office's (ICO) official statistics show, the mishandling of subject access requests was the most complained about data protection issue in 2016.

If a company or organisation is unable to fulfil a request, an individual has the right to make a complaint to the ICO.

How to make a subject access request

Making a subject access request is a fairly straightforward process but requires a few steps to be followed.

In the absence of specific criteria under GDPR, access requests can currently be made either in writing, through a letter or an email, or verbally (We'd recommend email because most businesses taking GDPR seriously will have policies in place that will want to record all SARs). These can simply instruct an organisation to provide all the information it holds on you that it's required to disclose under the Data Protection Act 2018 and GDPR.

GDPR does recommend that companies have a standardised form in place to make it easier for data subjects to submit a request, however, even if this exists, an individual's submission will still be valid if made through another means.

Any employee of an organisation may receive a valid subject access request, although it's the responsibility of the company to ensure any such requests are processed. This may require additional staff training for those that are regularly in contact with data subjects. Most individuals will likely contact the marketing or data department specifically to ensure a quicker response.

For an individual submitting a subject access request, the first step is to find out the most relevant department or person in an organisation to submit a request to. After that, it's worth making sure you have a clear idea of all the information you wish to receive through the request.

When submitting the request, ensure you have all your relevant details in the letter or email, such as full name, contact number, and address, as well as any information that will help a company match up your request with your data.

It's also worth noting that under GDPR, an organisation has a month to comply with the request, so do provide a reference date to ensure that happens.

As some companies are still getting used to the switch to GDPR, it's also worth highlighting to the company that you have the right to make the request for free, to prevent any confusion further down the line. A SAR template is provided on the ICO's website.

For companies and individuals handling subject access requests, it's worth being aware of these steps to ensure the requests are fulfilled in a timely manner in order to avoid any action from the ICO. In terms of time limits, the ICO guidance states: "In most cases, you must respond to a subject access request promptly and in any event within 40 calendar days of receiving it."

How requests should be fulfilled

Organisations have one month to respond to a SAR without notice. However, if an organisation needs extra time to consider a request, this can be extended to three months from the date of the initial request, although it is required to inform the subject as to the reasoning for this delay.

Organisations must ensure that any data provided to a subject is in a commonly used electronic format, unless the individual requests otherwise. GDPR recommends that companies set up a self-service system that grants individuals remote access to a copy of the data, although this isn't compulsory.

All data should be in a concise, transparent, and easily accessible form that's written in plain English and that's capable of being understood by the average person.

If the individual requests a large volume of data then the company may ask for more information in order to narrow its scope. In this instance, the period for fulfilling the request will start from the date more information is provided.

Contributor

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.