GDPR: Subject Access Requests

As part of the GDPR implementation, it is now a requirement that companies release any information that they store or process on you if you request it. A Subject Access Request (SAR) is a request made by an individual to receive information regarding which data a company holds on you, and how they process it.

From a data subject (customer) perspective, you are entitled to obtain the following information:

* A copy of your personal data

* Confirmation of whether your personal data is being processed by the company

* The retention period of your data (i.e. when the company intends to keep this data until)

We recommend visiting the ICO website for a more extensive list of what is covered under a SAR.

From a company perspective, a SAR can have enormous resource consequences if you are not prepared for this already. Depending on the size of your business, it may take a substantial amount of time to both locate and supply the data that a data subject has requested. Therefore, it is vital that a process is in place that you are prepared to follow to complete these requests.

As it currently stands, you cannot charge a fee to complete a SAR unless the request is excessive or will take a substantial amount of time to process. Additionally, you must provide the information requested within one month of receipt to ensure that the data is supplied to the data subject in a timely manner.

There are a number of guidelines on what is covered by a SAR, and there are endless resources to support the influx of these requests moving forward. We recommend incorporating a strategy to manage SARs proactively rather than reactively and ensure that data is well-organised so you can access it quickly and efficiently.