GDPR Subject Access Request Procedure
Published on: 31st October 2018
By PYXI GDPR Team
Any UK organisation which processes (stores and uses) Personal Data may receive a Subject Access Request at any time. The ICO stipulates that the organisation must respond to the SAR without due delay and at the latest within one month of receipt. What should you do?
Here's our checklist...
GDPR Subject Access Request procedure
- Audit, Prepare and Plan
- Confirm and Acknowledge Receipt
- Undertake Data Discovery
- Prepare Response to the Subject
- Send and Document the Response to the Subject
- Check the SAR is Complete
Preparation Improves Performance - Get "SAR Ready"
All organisations have differences in the ways they process data; what they store, why they store it, where they store it and so on. We have developed specialist software to help you work out the best way for your organisation to respond to a SAR, even before it happens, based on YOUR ORGANISATION'S Personal Data usage.
Step 0 - Audit and Prepare BEFORE you receive a SAR
Using PYXI for GDPR to audit your organisation's use of Personal Data will help you to identify where a Data Subject's information is likely to be found, should she invoke a SAR. Understanding what has been stored on your digital devices and in offline storage, will increase the turnaround speed of your SAR response. You will be able to quickly identify where the data is, and save time on your data discovery when a SAR arrives.
Step 1 - Confirm and Acknowledge
Start by acknowledging the SAR. You may need to confirm the Subject's identity at this stage. (e.g. can you tell if it's this "John Smith" or that "John Smith"?)
Step 2 - Check your records - Undertake Data Discovery
Check your records to find if you have any data about that Subject in your data stores.
Step 3 - Prepare your response to the Subject
Check through the information you have about the Data Subject and work out the actions required to carry out the Request (e.g. remove or update data, remove from a mailing list, present a copy of the data held, etc.) Compile the records for sending in response to the SAR. For various reasons (particularly legal) you may need to redact some of the data you have about the Subject as part of the compilation process (e.g. references to other Data Subjects). If the SAR is a "right to be forgotten" request then some data may also be exempt from this action (e.g. financial transactions). Assess and collate the items to be shared in the response. It is recommended that the data is prepared in a digital format for sharing with Subject.
Step 4 - Send, and document, the response to the Data Subject
When you've compiled your response, set up a secure data transfer to send the completed response to the Data Subject. This could be achieved by using a secure and encrypted file server with a unique password that is accessed only by the Data Subject. Do not leave the file on the server for longer than necessary. Make sure you write up what you did.
Step 5 - Confirm that the SAR is Closed
Finally, check that the Subject is happy that the SAR has been fully addressed and that the case can be closed. Document their response and close the SAR case.
Software for SAR Management
PYXI for GDPR contains a simple and effective SAR Management system which takes you through all these steps and gives you confidence in and control of your SAR processing.
PYXI GDPR Team: 31st Oct 2018 08:57:00
Subscribe to our
Weekly GDPR Newsletter.
It's full of really useful updates
for UK small businesses.
ICO Q2 Data Security Incident Trends
The ICO's figures for Q2 show that the most frequently reported data security incident relates to disclosure of data. The ICO's website has published information about Q2 2018-19's data security incidents by type and sector, and the single mo... click to read more