In recent months, there has been a rise in Subject Access Requests (known as SARs). As you have a legal duty to respond, it is important to be able to recognise your obligations.

What is a SAR?

Put simply, a subject access request is a request made by or on behalf of an individual for information.

A SAR entitles an individual to find out what personal data is being held about them by a business, why it is being held, and to whom that business may disclose that information to.

A SAR can be written or oral and does not have to be in any particular form as long as it is clear that the individual is requesting their personal data. They can even be made via social media!

What to do if you receive a SAR?

As a business, you have a legal responsibility to identify that an individual has made a request to you and to handle it accordingly.

It is vital that you are fully prepared, to ensure that any requests are dealt with in a timely manner.

Consider things like:

  • When/if you can refuse a request;
  • What information you need to provide to individuals, or if there are any exemptions;
  • The nature of the information you need to provide; and
  • What processes are in place to ensure that you respond without undue delay.

The risks of getting it wrong

If you refuse to comply, do not adhere to timescales, do not provide all the personal data held, and/or just ignore the request, the individual can complain to the Information Commissioners Office (ICO). The ICO can then issue a warning, reprimand, enforcement notice or a penalty notice.

Data Retention Policy (DRP)

Under the General Data Protection Regulation (GDPR), businesses must create a DRP to help them manage the way they handle personal information.

A DRP should list the types of record or information you hold, what you use it for, and how long you intend to keep it. They help you establish and document standard retention periods for different categories of personal data.

If you don’t know where to start, we can help in providing such a policy for you.

This all might sound a bit scary, so take a look at our whitepaper https://hallidayshr.co.uk/subject-access-request-whitepaper/ to find out more.

How Hallidays HR can help

If you would like to discuss any of the above in more detail, then please do not hesitate to contact us.