top of page
DF-adverts-altsub-white_orange.jpg
DataFit

A crucial guide to Data Subject Access Requests

Updated: Nov 4

Since 1998, under privacy laws like the General Data Protection Regulation (GDPR), companies in the UK have been legally required to respond to Subject Access Requests, giving people the right to request all of the personal data that a business holds about them and to share this within 30 days of submitting the request (with some exceptions). 


The number of requests being submitted in the UK has been on the rise for a while now and with the Data Privacy Group estimating SARs are costing UK businesses between £70,000 and £330,0001 per year, it’s simply not something that UK companies can afford to ignore any longer. 


For many businesses SARs are problematic due to insufficient data management, meaning people are pulled from current work to deal with requests in the 30 day window prescribed. Depending on the nature of the request, this can be a very laborious, time consuming and costly task for any company but it is one that can be avoided. 


Having the right storage, accessibility and retention framework in place can dramatically reduce the time spent collating information and responding to a SAR. If you consider that you can receive one at any time, on any day, they have the potential to be hugely disruptive, so having a slick data management set up in place provides a peace of mind that can’t be underestimated.


According to research from Statista conducted with UK managers, approximately 31% of SARs come from employees or ex-employees, swiftly followed by 30% submitted by customers2 , then legal representatives. 


Upon receiving a request a business is required to provide back every piece of personal data it holds about that individual, including but not limited to; a copy of all personal data being processed e.g. name, DOB, email address, phone number, transcribed calls (if recorded). As well as supplementary information, including but not limited to; the purposes of processing, third parties who have received their personal details, the period for which the personal data will be stored.


Ask yourself now; 

  • Where is all your data stored? 

  • Is that data protected? 

  • Do you know what data you have? 

  • Are you able to easily access and retrieve that data? 

  • Are you aware of how long you should keep data for? 

  • Do you track when it is appropriate to archive or delete data?


If you received a DSAR tomorrow, are you confident you’d be able to respond in a thorough and timely manner? If the answer is no, then reach out now as our team of experts are perfectly poised to help.





Sources


コメント


bottom of page