SAR 101: What Is a Subject Access Request?
Many companies have sensitive personal information about their employees and customers. They file their names, credit card numbers, social security numbers, or other data account information that is necessary to either meet their payroll, fill orders, or conduct necessary business functions.
Sound data security and a privacy plan should be put in place in order to avoid the sensitive data falling into the wrong hands thus leading to fraud or identity theft. In case of a security breach, you may end up losing your clients or get slapped with a lawsuit.
If you’re a business that handles the personal information or data of others, then you should know what a subject access request (SAR) is.
Learn more about SAR here.
Understand Subject Access Request
SAR is a request made by a person about their personal data from a company’s databases.
As more people are aware of their personal rights, they may want to know what information your organization has about them and the purpose for which it’s processed. They may ask for a copy of their data which is in line with the law.
Requests can be made verbally or formally through a written form of communication. A request shouldn’t be ignored and must be dealt with as part of the General Data Protection Regulation and the Data Protection Right Act 2018.
Duration to Handle Request
With the new legislation, SARs must be acted upon within 30 days (one month) from when you receive a request. In cases where the request involves a hefty number of documents or complex information, ask for time extension and communicate to the person asking for the request promptly.
Charges for the Request
In most cases, companies offer the information free of charge, however, companies are allowed to charge a reasonable fee covering the administrative costs of getting the information.
Information to Provide
A business should provide a response based on the request. This could include:
• Copies of statements under the requester account
• The purpose of using their data
• Any recipients of their personal data
• An estimate of how long they will keep your information in their database
• How the data is captured into your system and from where it was obtained
The SAR regulations dictate that you can ask for all the details of your personal data from the organization.
Ability to Withhold Information
You can withhold any sensitive information that may expose a third party not involved in the request.
In the case of the subject access request being repetitive, you can opt not to share the information. In case there is an ongoing investigation and sharing the information could compromise the nature of the investigation, then you can decline to issue a report.
Format of SAR
The response needs to made in writing. You can make a form available which will assist the person requesting to know what they exactly need of the SAR.
Take a Positive Approach to the Request
The subject access request is an essential right for every individual. When responding to a SAR, take this as an opportunity for you to improve on your customer service and service delivery.
It will also help your customers, employees, and other stakeholders to verify the information you have about them whether it is accurate and whether you need to make changes.