With UK GDPR (General Data Protection Regulation) being a continual priority and the importance it plays in protecting individuals’ data, when you receive a subject access request, it can be daunting, stressful, and complex. This is particularly true if you’re a new company or if it’s the first time you’ve handled a subject access request.
At ALPH Legal and Compliance, we understand that it can be difficult to know when to deal with a request and when to challenge one. Our aim is to ensure you have clarity and a clear understanding of what is expected, which is why we have created this article to explain what a subject access request is and what you are required to do by law.
What is a Subject Access Request
A Subject Access Request is a core part of UK GDPR, which gives an individual the right to know what personal data you hold about them. It also gives them the right to understand how their personal data is used, who it’s been shared with, and for how long it will be retained by your business.
The request doesn’t need to follow a specific format and can be raised through various channels, such as a written, verbal, or email request. If an individual has asked to see their personal data, regardless of how they made it, you should treat it as a valid request.
Why would someone make a Subject Access Request
Most people who submit Subject Access Requests are looking to understand how their personal information is being used. It can be for any reason, whether that’s to verify the accuracy of the information and to check if the data being used by a company is handled legally and appropriately.
Below, we’ve listed some of the more common reasons some might make a Subject Access Request:
- Confirming what personal data an organisation holds.
- Understanding how their information is being used or shared.
- Checking whether the data on record is accurate.
- Reviewing information relevant for a complaint or legal dispute.
- Seeking reassurance that their data has been handled lawfully.
- Understanding how the organisation obtained their information.
Recognising a valid request
A subject access request becomes valid from the moment you receive it. It’s important to note as well that the person making the request does not need to mention UK GDPR or the term Subject Access Request for it to be valid, either.
As long as the individual who is asking for access to their personal data is who they say they are, the countdown to when you should respond begins. Typically, you will have one month to provide a response, so identifying the request early is important.
Confirming the identity of the individual
As previously mentioned, before releasing any personal information, you must be satisfied that the person making the request is who they claim to be, and asking for proof of identity is completely acceptable when or if you are unsure.
This is especially relevant if the subject access request involves sensitive data or if you don’t have an existing relationship with the individual. If you feel you need to ask for any additional information, it should be reasonable and proportionate to completing the request.
Understanding what you need to provide
Your response should include all the personal data you hold on that individual, as well as information about how that data has and will be processed.
This includes the purpose for processing, the categories of data, retention periods, and information about the individual’s rights. It is especially important that any data you provide is written in a clear and accessible format.
Commonly asked questions about Subject Access Requests.
Subject Access Requests can often seem straightforward at first glance, but operational questions tend to surface as soon as a firm starts handling them on a more regular basis.
How long does a firm have to respond?
You must respond to a Subject Access Request without undue delay and no later than one month from the date it is received. The clock starts as soon as the request is recognised as valid. Extensions are possible, but only where the request is complex or involves a high volume of data.
When must the data be provided?
The response deadline and the deadline for providing the data are the same. Firms cannot acknowledge the request and then send the information at a later date; the full response must be issued within the one-month time limit unless an extension has been lawfully applied.
Can I charge a fee for a subject access request?
You can not charge a fee for a standard Subject Access Request. Charges are only permitted where the request is clearly unfounded or excessive, and the burden of proving this lies with you. Even then, the fee must reflect the administrative cost only.
Is it possible to refuse a Subject Access Request?
Refusal is only justified in rare circumstances, such as where the request is unfounded or excessive, or where disclosure would affect the rights and freedoms of others. Any refusal must be explained in writing, and the individual must be informed of their right to complain to the ICO.
If you’re still unsure about what your rights are when receiving a Subject Access Request, speak to our team, who will be happy to guide you.
What happens if I don’t respond to a request?
UK GDPR is an important law, as it protects people’s personal and private data that you have on them. With more people now paying attention to how their personal data is used and processed, remaining compliant with UK GDPR is vital.
If you don’t respond to a Subject Access Request in a timely manner, it may cause you to be investigated by the ICO (Information Commissioner’s Office). This body is responsible for dealing with any data complaints made by individuals, including situations where a Subject Access Request has not been responded to
Essentially, after a complaint has been made, the ICO investigates, and if they find a company to be in breach of UK GDPR, they have the power and authority to issue fines, which can be considerable.
How ALPH Legal & Compliance can help with a Subject Access Request
Receiving a Subject Access Request can be worrisome, especially if it’s your first time, but the crucial point is clarity and timeliness when responding. Whether the request comes from a subscriber on your mailing list or from a company you’ve provided services to and hold employee data for, both must be handled within the same timeframe.
At ALPH Legal & Compliance, regardless of the type of Subject Access Request, our team can help you respond quickly and appropriately, handling correspondence effectively and efficiently. Speak to our team today to help you remain UK GDPR compliant.