Simplifying subject access requests – new SARs guidance

By Myles Dacres

The right of access is a fundamental right under data protection law. And it has never been more necessary. In a world where personal data is used almost everywhere – by everyone – it is vital that people have the right to be able to find out what’s happening to their information.

More and more people are waking up to the power of their personal data and are exercising their rights. That is why, as an organisation, it is important that you know how to deal with a subject access request (SAR) effectively and efficiently.

Since lockdown in March 2020 there has been much greater appetite for support and clarification on some aspects of the law that are not so clear-cut.

It showed how seriously organisations take their data protection obligations, and how the recent circumstances such as working from home and an increase in redundancies has seen a rise in the number of access requests raised.

The ICO has put together a list of recent changes to make the handling of SARs simpler, including:

  1. Stopping the clock for clarification – seeking clarification on requests often doesn’t leave enough time to respond. As a result, the ICO’s new position is that, in certain circumstances, the clock can be stopped whilst organisations are waiting for the requester to clarify their request.
  2. What is a manifestly excessive request? – to combat confusion over when to class a request as manifestly excessive, the ICO has now provided additional guidance to help and broadened its definition. See here
  3. What can be included when charging a fee for excessive, unfounded, or repeat requests? – the ICO received a lot of feedback relating to this question and they have updated their guidance! See here

Hopefully the new guidance is going to be useful for organisations across the board, especially during the COVID-19 pandemic, as it will give them more insight into how to deal with SARs and access the information they need quickly and easily.

The right of access is a cornerstone of data protection law and good SAR compliance instils trust and confidence. That’s why it’s essential that organisations get this right, because people’s trust in how organisations use their personal data plays a role in their overall confidence and support for your services.

We’re here to help with any and all questions relating to SARs and we have set up the SAR Bureau to help with any additional support your business may need.

Contact Us

Send us a Message









Data Protection Project
GDPR Gap Analysis/Audit/Review
Outsourced Privacy Officer/DPO
Support Desk
SAR Support
PCI DSS
ISO27001/27701
Cyber Maturity Assessment
NIS Regulations
Information Governance Documentation
DataWise System
Other

We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


IMPORTANT INFORMATION

We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

Data Protection People Limited – March 2021