The right people and technology to deliver an efficient end-to-end solutiom
The right people and technology to deliver an efficient end-to-end solution
1. What is the right of access?
2. What does this right entitle individuals to?
3. What is excluded from this right?
4. How does an individual exercise this right?
5. How to prepare for the response?
6. How should an organization respond?
7. Who responds to these requests?
8. What department(s) should deal with these requests?
9. How long does an organization have to respond to a request?
10. Can an organization charge a fee?
11. Can an organization refuse to respond or withhold personal data?
12. What are some common response challenges?
This is one of the rights individuals have under an increasing number of data protection regulations across the world, including the GDPR in the UK and EU, the PDPA in Singapore, and emerging US state privacy laws. In the UK and EU the process of exercising this right is referred to as a Subject Access Request (SAR) or a Data Subject Access Request (DSAR). The DSAR requirements are the focus of these FAQs. The right of access requirements may differ slightly in other regulations.
This right generally entitles an individual (data subject) to access a copy of all personal data held about them by an organization. This includes personal data collected directly and actively from them (e.g. name, address, contact details, and ID) as well as personal data processed indirectly and passively (e.g. IP address, decisions, inferences, shopping habits, risk-scoring, profiling, and opinions).
This right only entitles an individual to access their personal data. They should not be given access to the personal data relating to any other individual.
An individual can exercise this right by submitting a request to an organization, they may do this themselves or via a third party. They may request access to all of their personal data, or they may only be wanting access to specific personal data e.g. a customer or former employee may be requesting evidence to use in a dispute.
A request may be submitted using a formal or informal method so an organization should ensure that staff are trained to recognize these requests and ensure that there is a documented procedure to follow when a request is received.
All requests should be acknowledged as soon as they are received. Once the request and identity of the individual has been validated, the personal data relating to them should be prepared in an intelligible manner, without jargon or company acronyms and presented in an easily accessible way, to enable an individual to receive and access the data they requested.
Under the GDPR the responsibility for responding to these requests sits with the Controller (the organization that determines the purpose and means of processing personal data), however the Processor (the organization processing personal data under the Controller’s instruction and on their behalf) may need to provide support to the Controller.
An organization should assign responsibility to a central team that coordinates these requests, this could be positioned in HR or a compliance function. However, depending on the volume and complexity of retrieving the personal data this process is likely to need input from the contact centre, the IT department, and any other department that is responsible for personal data within an organization. It needs to be a collaborative effort.
An organization must respond within one month of receiving the request. This deadline can be extended by an additional two months in limited circumstances for complex requests, or multiple requests from the same individual.
A fee cannot be charged unless any further copies are requested then an organization may charge a reasonable fee based on administrative costs.
An organization can only refuse to provide the personal data requested if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. An organization cannot withhold or delete personal data about an individual that could cause reputational damage to an organization e.g. negative opinions about that individual. It is an offence to make any changes or delete personal data to prevent its disclosure.
Ensuring staff are trained to identify requests and that adequately trained resources can be assigned at short notice to deal with the request, knowing where the personal data are stored, how to export it from systems, and how to redact information that isn’t their personal data. Responding to a request can be a complex and time-consuming task so organizations should ensure that the policies, procedures, and people are in place.
