In this post we are going to look at some work we have recently completed for a client in relation to how they handle Subject Access Requests (SARs). But before we do that its worth recapping the changes that are coming with relation to SARs.
A SAR is a request for personal information that your organisation may hold about an individual. If an individual wishes to exercise their subject access right, the request must be made in writing. The purpose of a SAR is to make individuals aware of and allow them to verify the lawfulness of processing of their personal data. Under the GDPR and the current Data Protection Act (DPA), individuals have the right to obtain confirmation as to whether personal data is being processed. If personal information is being processed, they are entitled to access the following information:
- the reasons why their data is being processed;
- the description of the personal data concerning them;
- anyone who has received or will receive their personal data; and
- details of the origin of their data if it was not collected from them.
Under the GDPR, the procedure for making a SAR is similar to the procedure under the DPA. However, there are two key changes that we considered for an electronic system.
- Under the DPA, your organisation can charge up to £10 for a SAR. Under the GDPR, a request for personal information is free unless the request is ‘manifestly unfounded or excessive’. Your organisation can charge a ‘reasonable fee’ for multiple requests.
- Under the DPA, you must respond to SARs within 40 days of receipt of the written request. Under the GDPR, your organisation must respond to SARs within one month of receipt. This deadline can be extended by a further two months where there are a number of requests or the request is complex, but you must contact the individual within a month of receipt, explaining why the extension is necessary.
These changes mean there will likely be an increase in SARs for most organisations, to combat this we have developed a system that can help manage and process requests.
There are two main components to this system, a custom public front end that allows someone to submit a new SAR and a custom SharePoint interface for managing requests.
The SharePoint component allows staff to manage and update the SAR and push information out to the person who made the request, the following features are available:
- Prioritise and manage SARs in a queue
- Start a counter when a new SAR is made
- Route the request to an appropriate person or department
- Generate statistics based on processing of SARs