In a world of online accounts and profiles, companies have an increasingly large library of data about their customers and users. This of course has brought with it a litany of new challenges. One of these is the rapid increase in SAR or Subject Access Requests. Read on to find out what this means for your company.
What are Subject Access Requests?
Subject Access Requests (SAR), or Data Subject Access Requests (DSAR) are essentially a means by which customers can ask for all the information a company holds on them. An organisation has one month to comply with the request once it is made. SAR requests in the UK are under Article 12 of the General Data Protection Regulations.
Why are Subject Access Requests on the increase?
More and more people are making subject access requests – but why? There are three key reasons.
First of all, companies are processing more data than ever before. Personal information can be used for marketing, tailoring services and market research.
Another reason may be more topical. Subject Access Requests are commonly used by people who have left or have been dismissed from a job, usually to try to find out what information their employer had access to that could have influenced their decision. With the country still feeling the economic impact from the pandemic, a lot of people are in this boat.
The last reason is to do with changes in behaviour. There’s no question that we’re all becoming more aware of where our personal information is going and the forever increasing number of companies that are using it.
In 2022, people ultimately expect organisations to be transparent about what they know about them particularly with regards to data breaches and fraud.
What should you do if you receive a SAR?
First of all: don’t panic. It’s a completely normal occurrence and if it hasn’t happened to your company already this will be the first of many requests to come. As mentioned above, you have 30 days to respond. This can be extended by a further two months in the case of complex or multiple requests by the same person.
You can’t charge a fee in most cases, unless you feel that the request is “manifestly unfounded or excessive”, in which case you can apply a fee to cover administrative costs.
Once you receive a request, you have two key things to do. First, ascertain whether or not you hold that person’s personal data.
If the answer to that question is yes, you need to supply the following –
- What is the information used for?
- Who has access to it?
- How long you are keeping it and the customer’s rights to challenge the information and/or request it to be deleted.
- You may also need to say what security measures are in place if the information was handed to a third country or an international organisation.
Bear in mind that if not satisfied, the customer can appeal to the ICO or Information Commissioner’s Office.
What are the common stumbling blocks?
There are a number of pitfalls that organisations fall into when handling SARs. Most of these occur around locating the information that has been requested. If your company is sprawled across different departments and infrastructure this can be a humongous task. Thankfully there are ways to streamline the process.
Firstly, design a standard form. This makes life easier both for you and the customer, although bear in mind they can still submit their request in other forms.
Secondly, have a system through which you can correlate all information you hold that could be requested. If this is too large a task, enlist the help of a clever data management tool.
Thirdly, for telephone calls, you may want to transcribe the audio, which is easier to handle, store and send to the customer. A laborious in-house task, you may want to use a third party like JUST: Access to do this for you.
Last but not least, cut down on paperwork. Holding unnecessary information about people costs your company both time and money.
Let’s face it – SAR requests are here to stay. At least for as long as companies collect customer data. The important thing is having it to hand when the inevitable happens and an irritating customer asks for their files to be pulled.
At the end of the day, it’s a legal obligation not a choice, so good organisation is a must.