Subject Access Request SOS?

11 April 2019

Prior to the GDPR coming into effect in May 2018, there was widespread speculation regarding the impact of the new rights to be forgotten and data portability. However, as we approach the one year anniversary of the GDPR, it is not these new rights that our clients tell us are causing concern.

For most, it is the significant increase in subject access requests (SARs) that is proving problematic. Thanks to the tidal wave of GDPR publicity, individuals have never been better informed about their right of access nor, with the withdrawal of the £10 SAR fee, more willing to use it.

Heightened awareness and free access have created a spike in demand which, coupled with a lack of guidance in relation to the updated rules around SARs, have left many businesses firefighting numerous SARs with little certainty as to whether their approach is fully compliant.

Two of the most common issues we encounter in practice are:

  1. Uncertainty around the time allowed for responding - Many organisations are relying on outdated guidance regarding the interpretation of “one month” that was published prior to the ICO issuing its formal guidance. Others are putting themselves in breach by routinely applying the two month extension period to all requests received or, conversely, putting unnecessary pressure on resources by failing to apply the extension where it may reasonably be used.
  2. Lack of understanding as to when a request can be refused - The GDPR allows an organisation to refuse to respond to a request or impose a fee where the request is manifestly unfounded or excessive (taking into account whether a request is repetitive) but what exactly is meant by “manifestly unfounded or excessive” and when does a request become repetitive? Whilst we are now familiar with the ICO's internal guidance on the issue, the ICO has yet to publish any guidance and acknowledges that, in the absence of published guidance or case law, using the exception will carry an element of risk. 

If you are struggling with these issues, why not join us at one of our practical SAR training workshops running across our four offices during April and May? During each session we will use a variety of exercises and case studies to take delegates through a five step response plan to ensure compliance with the new rules and discuss how to deal with difficult requests and dissatisfied data subjects. Delegates will be given quality materials and checklists to take away and ample opportunity to ask questions. 

Book your place

To book your place please click on the session you would like to attend below: