Data protection top tips for… Subject Access Requests

19 January 2021

To celebrate international Data Privacy Day 2021 (28 January 2021), the Birketts Data Protection Team has produced a series of data protection top tips articles. This bite-sized advice series is designed to provide you with some easily digestible compliance tips, focusing on some of the key issues we see clients dealing with on a daily basis. Today we are focusing on Subject Access Requests (SAR). Brett Butcher shares his data protection top tips…

  • Be prepared…Make sure that you and all of your staff know how to recognise when a SAR has been received. A SAR does not have to be in writing and can be made verbally. It is crucial that any SARs received are promptly forwarded to the individual responsible for data protection matters within your business. This is because the clock on the 1 month deadline for your response (extendable by up to two additional months if a SAR is complex) starts on the date the SAR is received. Staff training and guidance in this area is key and will ensure that a SAR deadline isn’t missed or worse, ignored entirely.
  • Be certain of the scope...Make sure you are clear what the data subject is asking for. If you process a large amount of personal data about an individual, you can ask them to clarify the information or processing activities their request relates to. On asking the data subject to clarify their request, the clock for your response to the SAR is stopped until you receive clarification from the data subject. However, you cannot ask the data subject to narrow their SAR and you cannot ask for clarification if the extent of personal data the data subject wants to be provided with is clear from the original SAR.
  • Complete your searches…Come up with search terms which will allow you to discover all of the personal data which the data subject has asked for in the SAR. Think about where you store the personal data of the data subject and make sure that you are searching all of these locations thoroughly (using your search terms) to identify all relevant documents and correspondence.
  • Complete your redactions…Once you have identified and located all of the potentially relevant documents from your searches, consider what redactions you need to make to those documents. The data subject is only entitled to receive a copy of their personal data that you hold. You should therefore redact all personal data of third parties (unless you have consent from that third party to disclose their data or it is otherwise reasonable to disclose it) and all information which is not the personal data of the data subject. There are also a number of additional exemptions which sometimes permit you to redact further information (such as communications with solicitors where they are legally privileged). The application of exemptions is technical in nature and so we would recommend you seek legal advice on their applicability.
  • Provide your response…If you received the SAR by email, and the data subject hasn't instructed you to provide a response by any other means, you can provide your response by email. Your response must be accompanied by a cover letter which includes supplementary information set out under Article 15 of the GDPR. If you have a GDPR compliant privacy policy, this can be attached to the cover letter to satisfy some of the fields of supplementary information you are required to provide to data subjects alongside your SAR response.

If you have any queries regarding our top tips for Subject Access Requests or need help in implementing them do get in touch.

Please feel free to like and share our top tips and check back again tomorrow for our next set of top tips.

Happy Data Privacy Day from the Birketts Data Protection Team.

The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at January 2021.