An SAR is a request made by one person to an organization to access the personal data that the organization has about them. This is a right granted under data protection laws, such as the 2018 data protection law in the United Kingdom, the General Data Protection Regulations (GDPR) in the European Union and various other data protection regulations worldwide.
When an organization receives an SAR, there is a deadline for one month to respond, and it is a violation of the data protection law if you do not meet within this period, unless you meet the criteria of an extension. THE Office of the Information Commissioner (ICO) defines detailed criteria for an extension of two months can be applied to this deadline, but these detailed criteria are complex.
In most cases, the deadline for one month applies and it is necessary to respond quickly to comply with this legal period. Not doing this can lead to complaints from ICO, which could lead to the correspondence of the ICO, by informing the processes of your organization to manage the SRAS and by asking for a follow -up action to remedy all gap in your processes. Organizations that do not repeatedly respect data protection laws can face fines.
Recognizing that you have received an SAR is important, because the request cannot be officially identified as a request for access to the subject. Requests must be properly recorded and subject to an established process. Employees must therefore be trained in the way of recognizing the sras and understanding which internal procedure follow when received.
A common way to manage the sras is to have an e-mail address established in order to receive requests, to rationalize the process. This will be identified in the organization's privacy policy and all requests will be directed via this path.
Get the right process
Large organizations that are more used to receiving SRAS will generally have a process established to manage them. However, smaller or medium -sized companies could be caught off guard and without a clear process in place will be poorly equipped to comply with data protection regulations.
The first challenge is to understand the information you need to provide to the person who makes the request. This will partly depend on the person who manufactures SAR, because it can have a specific search term, or can expand their request to include all the available data that has them about them. It is worth asking the individual if the period of research and / or the scope can be clarified, but you cannot exert pressure on them to do it and they do not have to do it.
In addition to clarifying the deadline and the scope, efforts must also be made to make appropriate identity checks to guarantee that the person who makes the request is what he claims to be. The counting account of a month would stop until it is confirmed and restart after clarification.
The information requested could be contained in one or more sources, but will generally include elements such as emails or conversation recordings of your virtual workplace, such as Microsoft teams, for example. You must identify the tools to search for and choose the appropriate research terms, depending on the nature of the demand. Research will probably send thousands of documents, and the next step is to examine this information to determine what you need to disclose under SAR.
The three -step process
This examination process can be divided into three key steps. During the first step, you throw everything that is not personal data from the individual. It is important to understand that the right to information only includes personal data.
The second step involves deleting information on third parties, for example names of other people or information that would easily identify other people, unless you have their consent. This information would generally be reduced.
The third step considers the possible application of exemptions. To determine if these apply is something that requires technical legal expertise. If they apply, you can expel or not provide information, but you must provide an explanation of the information selected and why you have determined that the exemption applies.
Examples of this may include situations where information is legally privileged, such as communication between a lawyer and their client. A privacy lawyer is advised to determine whether they are applied correctly and to exclude bad applications.
After following this process and collected the necessary information, you must also examine the best way to provide this information to the person making the request. This is most often done digitally, but it belongs to the applicant how they want to receive their data.
Having a procedure established for this stage of the process also helps companies to properly manage requests and to avoid current errors which could cause an involuntary loss or disclosure of sensitive information. For example, if you send the information to a password protected document, you would send the document and password by separate e-mails. If you send sensitive information by post, you take additional precautions by sending it via a mail, for example and depending on the data volume, you can divide them into several packages
A growing awareness of data protection rules has contributed to an increase in persons applying for subject access. For companies or organizations that do not have a clear process in place, the management of these requests can be difficult. Following the advice in this article will give you a good starting point, but data protection lawyers can help you more, that you are looking for a light advisory role or that someone manages the process of managing an SAR on your behalf.
Arbor Law is a team of experienced lawyers with expertise in data protection. To find out more, visit https://arbor.law
