What is a SAR and how does it affect your business?

Subject Access Requests

The General Data Protection Regulation gives people more control over their data. One major consideration in data protection is the right to find out what data an organisation holds – a (data) subject access request to you and me.

What is a SAR?

A SAR (or DSAR) is a request by someone to a business (or other organisation) for sight of all the personal data that they have about them. It is a right given by law.

The business has a legal responsibility to reply to the request within 30 days of receiving it (with a few exceptions).

What are the potential issues with SARs?

What are the potential issues with SARs?

1.     Identifying a request

Identifying SARs can prove difficult as there is no requirement on the person making the request to specify that their request is a SAR or DSAR explicitly. They may ask in some other way.

However the business must still be able to recognise that what has just happened is that a customer has just made a SAR or DSAR, in order to respond within the permitted 30 day time period.

That is why it is essential to train your staff, and ensure that the training is relevant to their role, and kept up to date.

2. Keeping data organised

It takes time and effort to keep data fully organised. Many businesses do not keep strict records in an organised manner and that will mean it is harder to find everything and reply in the time limit.

Data asset registers, and dataflow maps, are activities any business can do to find and ensure they know where their data is and would help to efficiently meet these kinds of requests. Read more about data flow mapping here. You would be surprised how difficult many businesses find it to find their data!

3. Having processes in place

Having efficient processes ensures that businesses are set up to effectively handle requests of this type.

If a business has not thought about creating a process for handling these kinds of requests, it makes it very difficult to accurately and properly recognise and respond to the request in the allotted time.

4. Controlling data creation

Many businesses do not properly control data being created, and as a result don’t know what to do with data that they hold. When they look at the information to be sent out to a customer they may see diary comments or other items that they would prefer the customer not to see (and delete it or alter it).

Altering data after a SAR/DSAR is a criminal offence, which is another reason why recognising a SAR/DSAR is vital.

If data is used, altered or destroyed in the normal course of events for the business then this would be permitted but only until the business has located the data to answer the DSAR. After that point it must not tamper with it.

Data Protection Claims Culture

Claims companies are proactively looking for businesses to sue over breaches of the GDPR.

We often find now that many disputes, whether with customers, suppliers or staff, involve a SAR/DSAR being thrown into the mix.

Not being prepared or able to answer DSARs puts business on the back foot.

Failure to respond to an SAR

The business must answer the SAR within the required time, or be in breach. That leaves them open to complaints to the ICO, or the person making the request taking injunctive proceedings to enforce their right. These kinds of claims can be incredibly expensive.

Being prepared to deal with SARs

As businesses, it is far easier to be prepared for an SAR, know how to identify and how to handle one.

One of our customers has already been able to handle and deal with multiple SAR/DSARs, even when they included being reported to the ICO as they were able to show they were fully compliant having used Data Guardsman.

If you would like to find out more about how Data Guardsman can help you get compliant, and prepare you for SARs, click here.

By Telephone

Leave a comment

Please note, comments must be approved before they are published