What is a Subject Access Request (SAR)?
A Subject Access Request (SAR) is the right of an individual to request any ‘personal data’ that your organisation holds for them. This right is a principle of the General Data Protection Regulation (GDPR), designed to regulate the processing of information from which a living individual can be identified or singled out either from the information on its own or when combined with other information.
As part of a SAR, individuals have a right to:
- A description of the information held about them;
- Be informed of the purposes the information is used for;
- Be informed of the disclosures that are made or might be made;
- Be informed of the source of the information;
- Be informed of the envisaged retention period for the data;
- Be informed if their data is transferred internationally, who the recipients are, and what the adequacy mechanisms for those transfers are; and
- Receive a copy of their personal information.
Can I levy a charge for a SAR?
The GDPR requires all organisations to accommodate SARs for free, however, if the request is considered to be ‘manifestly unfounded or excessive’, you can charge reasonable admin fees.
How long do I have to service the request?
Organisations have one month to respond to a SAR without notice. However, if an organisation needs extra time to consider a request, this can be extended to three months from the date of the initial request, although it is required to inform the subject as to the reasoning for this delay.
What do I need to provide?
Organisations must ensure that any data provided to a subject (the individual making the request) is in a commonly used electronic format, unless the individual requests otherwise.
The GDPR recommends that companies set up a self-service system that grants individuals remote access to a copy of the data, although this isn’t compulsory.
All data should be in a concise, transparent, and easily accessible form that’s written in plain English and that’s capable of being understood by the average person.
If the individual requests a large volume of data then the company may ask for more information in order to narrow its scope. In this instance, the period for fulfilling the request will start from the date more information is provided.
Finding all information about a data subject is often an inefficient and costly process…
Often, one of the most challenging aspects of servicing a SAR is finding all the information you have on an individual in your systems, then collating and exporting that information to complete the service.
To find all related information, you may need to look across your entire enterprise data estate: email systems, shared drives, cloud drives, social media, database systems and more.
Finding and retrieving information without the tools to do so, can make the task: difficult, time consuming, impractical and highly inefficient.
How can infoboss help?
Our SARboss software solution is designed with the specific purpose of empowering your SAR servicing personnel with the tools needed to quickly search and locate the information held on a data subject across all of your enterprise digital data sources. Once data has been collated it can be easily exported (to a zip file) for subsequent redaction and further processing before returning to the client.