What is a data subject access request?
A subject access request, otherwise known as an ‘SAR,’ is a written request to a company or organisation, in which an individual asks for access to any personal information that that business may hold about them.
Under the terms of GDPR, which became law within the UK on 25th May 2018, it is a legal right for any citizen within the UK to access any personal information that a company may hold about them. They can exercise this right at any point, and at no financial cost.
In detail, a person has the right to request:
- Confirmation their data is being processed
- Access to their personal data
- Any other supplementary information (E.g. Information that may normally be provided by a business’s privacy notice)
Data subject access requests are relatively easy to make on the part of the individual or employee, but they can also be problematic or time-consuming for employers. Their primary use is for individuals to check that their personal data is being processed lawfully in accordance with GDPR regulations, but employees can also use subject access requests as a legitimate fishing exercise prior to instigating legal action.
What is GDPR?
General Data Protection Regulation, or GDPR, came into force in 2018, and replaces the current Data Protection Act 1998. It harmonises data protection laws across the EU, and updates the previous regulations to take full account of globalisation, and the ever-changing technology landscape. Businesses will now need to demonstrate that they comply with the regulation when handling personal data.
The regulation applies to any company processing the personal data of individuals in the EU in relation to offering goods and services, or else to monitor their behaviour. Significant penalties can be imposed on employers who breach the GDPR, including fines of up to €20 million or 4% of the businesses annual turnover, whichever is greater. The level of fine will depend upon the type of breach and any mitigating factors, but they are designed to strongly penalise any employers who show a disregard for the GDPR.
What is classed as personal data?
Personal data refers to data that relates to a living person who may be identified from the data (or from data and any other information that a business may be in possession of, including any expression or opinion about the individual, or indications in respect of the individual).
It is classed as information that relates to the individual in his or her personal, family, business or professional life where the individual is the focus or central theme of the information.
The GDPR regulations apply to the processing of personal data that is:
- Wholly or partly by automated means; or
- The processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.
Personal data only includes information relating to natural persons who can be identified, or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information.
Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive, and they can only be processed limited circumstances.
Why must employers comply with new regulations?
You must legally comply with all regulations relating to subject access requests under the terms of GDPR. A failure to meet a stipulated deadline, or to provide an employee with the legally correct data that they have requested, could potentially leave you facing significant penalties.
The Information Commissioners Office, or the ICO, who uphold and regulate the terms of GDPR within the UK, have a range of enforcement tools available, depending on the severity of the offence committed by the employer. These include issuing warnings, reprimands, ordering compliance, and issuing fines.
How can I tell what is a valid subject access request?
A valid data subject access must be made in writing, but there is no particular prescribed form. You must also be satisfied as to the identity of the data subject, and should not automatically assume that the person making the request is necessarily who they say they are.
If a request is submitted via a third party, such as solicitor, then you must also be satisfied that the request has been authorised by the individual in question.