Most read Tips & Advice

Most read Tips & Advice
Recently added Tips & Advice

Running a business - Commercial & consumer law

Latest news
- my News
Employment & HR
- Brexit
- Maternity, paternity, adoption
- Training
- Trade unions
- Termination of employment
- Retirement
- Redundancy
- Recruitment
- Pay & conditions
- News
- Legal developments
- Absence management
- HR/personal development
- Holidays
- Flexible & part-time working
- Employment status
- Employment contracts
- Discrimination
- Disciplinary, dismissal and grievance matters
- Data protection
- Working time
Health, safety & environment
- Brexit
- Contractors
- Noise
- News
- Manual handling
- Machinery
- Insurance
- Health & safety management
- Fire safety
- Environmental management
- Enforcement
- Energy
- Construction
- Pollution
- Chemicals
- Accidents
- Workplace
- Working at height
- Wildlife
- Water
- Waste
- Transport
- Tax
- Risk assessment
- PPE
- Occupational health
Running a business
- Banking, finance & insurance
- Brexit
- Property
- Office management
- News
- Insurance
- Directors' liability
- Debt recovery
- Cost cutting
- Company law
- Commercial & consumer law
- Cars & transport
- Buying/selling a company
Tax
- Extracting income from a company
- Inheritance tax
- Stamp duties
- Sole traders & partnerships
- Returns, forms & HMRC admin
- Pensions
- News
- National Insurance
- Land & buildings
- Income tax
- Brexit
- Expenses
- Enquiries & penalties
- Employment taxes
- Corporation tax
- Cars, vans and vehicles
- Capital gains tax
- Capital allowances
Technology for Business
- Apps
- Health & fitness
- Travel & transport
- Software
- Social media
- Security
- Search & SEO
- News
- Hardware
- Building & designing a website
- Entertainment
- E-mail
- E-commerce
- Culture & science
- Consumer matters
- Business affairs
- Web services
VAT
- Brexit
- Debt relief
- Enquiries and penalties
- Input VAT (VAT on purchases)
- Land & property
- News
- Output VAT (VAT on sales)
- Overseas matters
- Registration
- Returns, forms & HMRC admin
- Special schemes
- VAT rates
All Domains

October 2023

Last 7 days
Last 30 days
Last 90 days
Full year
All years

DATA PROTECTION - 31.10.2023

How to respond to a subject access request

A council has been reprimanded by the Information Commissioner’s Office for failing to process data subject access requests (SAR) quickly enough. Responding to these requests can be onerous. How can small businesses comply with the law without wasting time and resources?

Businesses routinely hold personal data about others, making them “data controllers” under UK GDPR. Individuals are entitled to access their data by making a “subject access request” (SAR), to which any business, no matter its size and resources, must respond on time.

Format

Despite the formal title, an SAR can take any form - verbal, written or even on social media - but the trouble with informal requests is their lack of clarity. Tip. Put together a pro forma SAR and if you get an informal request, ask them to complete our form (click here ). They don’t have to use it (if they refuse, you must still comply with the SAR), but most will, and you’ll have the information you need to get started.

Process

Appoint a data protection lead to deal with SARs and other data protection matters. They should acknowledge receipt of the SAR promptly and obtain any further information needed from the applicant. Tip. Most complaints to the Information Commissioner’s Office (ICO) about SARs arise because of a lack of communication. It will help avoid complaints, which can result in public reprimand and fines, if you keep data subjects in the loop.

Deadlines

You must provide the data without undue delay and within one calendar month of receiving the SAR. If this happens to end on a weekend or public holiday, you have until the next working day. You get an extra two months if the request is complex or asks for a large amount of information. However, tell the individual before the first month is up that the longer deadline applies.

Reprimand

Lewisham Council was reprimanded by the ICO in August 2023 because it did not respond on time to 35% of the SARs it received in 2022. The Council was given credit for improvements like assigning more staff to SARs and changing its processes, but the reprimand came with further recommendations to implement.

The data controller must perform a “reasonable search” for the personal data. It will help if the SAR is specific, although individuals are entitled to ask for all their data. Depending on the scope of the SAR, the search could include databases, emails, documents, smartphones, CCTV, etc. Beware of others’ data. Before responding, consider carefully whether you need to redact other peoples’ personal data from the material. Tip. This will depend on the context. The ICO’s website gives useful examples and guidance, especially its recent Q&A on the complexities of employers dealing with SARs from employees (click here ).

Response

Send the response securely (check how the individual wants to receive it) and keep a copy. There is “additional information” that must be included in the response, giving the context of the data held/processed, the reasons for this and the individual’s rights. You cannot charge a fee, unless the SAR was “manifestly unfound or excessive”, or the individual asks for further copies. In these cases, you may only charge an admin fee.

Responding to an SAR is usually quite straightforward but can be time consuming. Make the process as easy as possible for your business by having a data protection lead and procedure to follow, narrowing down the scope of the SAR if possible and keeping in touch with the person who made the request.