It’s approaching 6 months since GDPR came into force and by now, many companies will have received Subject Access Requests and the first fines have been issued. In this special interview, we answer your questions on an individual’s right of access and what this means for business.
One of the focuses of GDPR is Subject Access Requests (SARs), but haven’t they always been available?
That’s correct. People were able to submit SARs with the old Data Protection Acts, but the GDPR has brought a renewed focus on them, and people are now more aware of their ability to do so. Some of the detail around SARs has changed, including the fact that companies can no longer charge for them (unless there are repeated or excessive requests) and the time to process respond to a request has shortened from 40 days to 30 days.
Why do people want to know what data is held about them? Why is that important?
There is a variety of reasons – some people are fed up of repeatedly getting marketing messages from organisations and they want them to stop. It could be a resentful or ex-employee who wants to know what was said about them, or perhaps a person was not accepted for a service and wants to understand why. People just want to be sure that information about them isn’t being held incorrectly or mis-used.
With some companies receiving an influx of requests, how accurate do you feel the results will be?
You can’t guarantee it will be 100% accurate due to the variety of areas that organisations store data. Information can be stored in emails, desktops or personal drives, but it should always be in a central and managed corporate information system. Organisations need to have their data under control, but it’s still hard to see inside documents without significant investment in time to open and review them. As a result, manual processes will not be as accurate as it should be.
Do you have to disclose all documents you hold on someone?
No – there are exemptions, such as not releasing information about other people, or if the data is subject to legal proceedings. It’s often not suitable to release everything you get back from the search as often there will duplications stored in several areas. If it’s an email held in the inbox of five different people, you don’t have to send the requestor every copy but you could disclose that there were four other copies which haven’t been sent.
One month a company could receive one SAR and next month, it could be 15. How difficult is it to allocate resource and control unexpected volume?
Companies may be able to make a forecast, for example if they are changing policy or retiring services, they might expect more. Any negative press or data loss issues will also, without doubt, result in an influx of requests. Statistics are good for seeing how many requests you’re receiving and how long they take to process; this can inform the business going forward. You also need to keep a SAR Register, provide evidence that they were processed within the timeline, and what decisions you made when dealing with it. Its good records governance but adds to the overall time taken to complete them.
Which industries do you think will receive the most SARs?
It is difficult to say as GDPR is so new, but possibly the marketing and communication industries who have previously held lots of data, for example, mailing lists. The medical profession could also see an increase as people want to know what’s on their records. Then again there’s finance and insurance industries! So, it’s hard to be specific; we have a broad range of customers across all sectors and they are all experiencing an increased volume of SARs.
Will companies find it difficult with the shortened time to respond?
With the GDPR comes a necessity to provide evidence of actions and decisions. This means you must be able to prove, if questioned, where you searched, what results were returned, what decisions you made, what you disclosed, what you redacted and what exemptions you applied to non-disclosed documents.
You can imagine, it’s a lengthy process to manually establish which is the record, which are drafts and which are duplicate copies. There’s a lot of evidential information that you need to retain in relation to each request. But this is also a great opportunity for companies to get their personal information management practices in order. On the other hand, companies that have put in automated and intelligence processes and systems have been able to satisfy SARs well within the timeframe.
Finally, what’s the solution if it’s becoming harder?
If you can automate any parts of the SAR process, then all the better – this will save a lot of time. By using a solution which handles the SAR from the initial point of contact, right through to fulfilling the request, companies can ensure that compliance is easier, quicker, more cost effective and most importantly, less risky.
Discover how easy it is to manage Subject Access Requests in this short video: