How to respond to a subject access request
Businesses routinely hold personal data about others, making them “data controllers” under UK GDPR. Individuals are entitled to access their data by making a “subject access request” (SAR), to which any business, no matter its size and resources, must respond on time.
Format
Despite the formal title, an SAR can take any form - verbal, written or even on social media - but the trouble with informal requests is their lack of clarity. Tip. Put together a pro forma SAR and if you get an informal request, ask them to complete our form (click here ). They don’t have to use it (if they refuse, you must still comply with the SAR), but most will, and you’ll have the information you need to get started.
Process
Appoint a data protection lead to deal with SARs and other data protection matters. They should acknowledge receipt of the SAR promptly and obtain any further information needed from the applicant. Tip. Most complaints to the Information Commissioner’s Office (ICO) about SARs arise because of a lack of communication. It will help avoid complaints, which can result in public reprimand and fines, if you keep data subjects in the loop.
Deadlines
You must provide the data without undue delay and within one calendar month of receiving the SAR. If this happens to end on a weekend or public holiday, you have until the next working day. You get an extra two months if the request is complex or asks for a large amount of information. However, tell the individual before the first month is up that the longer deadline applies.
Reprimand
Lewisham Council was reprimanded by the ICO in August 2023 because it did not respond on time to 35% of the SARs it received in 2022. The Council was given credit for improvements like assigning more staff to SARs and changing its processes, but the reprimand came with further recommendations to implement.
Search
The data controller must perform a “reasonable search” for the personal data. It will help if the SAR is specific, although individuals are entitled to ask for all their data. Depending on the scope of the SAR, the search could include databases, emails, documents, smartphones, CCTV, etc. Beware of others’ data. Before responding, consider carefully whether you need to redact other peoples’ personal data from the material. Tip. This will depend on the context. The ICO’s website gives useful examples and guidance, especially its recent Q&A on the complexities of employers dealing with SARs from employees (click here ).
Response
Send the response securely (check how the individual wants to receive it) and keep a copy. There is “additional information” that must be included in the response, giving the context of the data held/processed, the reasons for this and the individual’s rights. You cannot charge a fee, unless the SAR was “manifestly unfound or excessive”, or the individual asks for further copies. In these cases, you may only charge an admin fee.