How Should Your Business React To Access Requests and SAR’s (Subject Data Requests) Under the GDPR?

Friday, September 7, 2018

Handling subject access requests (“SAR”) effectively and within the legal timeframe remains a challenge for many organisations especially where SARs are becoming increasingly severe. Many businesses still need to “pull their socks up” although many larger corporations and online traders have already ensured that they have systems and procedures in place.

Is basic compliance enough?

Being fully compliant with the new rules, however, isn’t actually the full story as many businesses and organisations are likely to discover immediately after May 25th of this year. Industry experts and others are expecting a huge initial surge in SAR’s (subject data requests) due to the extended rights of information access that data subjects will have once the new regulations come fully into force.

Data extraction

Anyone in business that is “switched on” will have already worked out that there is likely to be a plethora of ambulance chaser style consultants more than eager to assist. They will no doubt provide expert data extraction for potential clients involved in some of the more challenging circumstances (for a fee, of course).

Even businesses that don’t handle data as a primary part of their operations are likely to find themselves in a position where they need to provide personal details to employees. Then there is the whole issue of personal references and request for personal information by other organisations outside of the company or organisation that holds the data.

The need for systems and responsible persons

We may have visited the subject already in previous articles but it is worth mentioning here that these are the very circumstances that substantiate the need for any business that holds person data to appoint a data controller. This would be the person responsible for dealing with requests for data right across the spectrum, whether your business holds client’s personal data or employs staff.

Different types of data requests

In what follows we aim to look at the different types of data request that businesses and organisations are likely to be called upon to fulfil. We will also explore how the “nuts and bolts” of complying with the different request are likely to work in reality. Many organisations and businesses have shared their concerns about becoming “bogged down” with such request when the floodgates open on 25th May. A little forward planning, however, can save such entities a great deal of hard work and the resultant savings in money that will surely accompany it.

What’s coming your way?

One of your best tools for dealing with what will certainly be an increase in data access request and SAR’s is preparedness. Having some idea of what is coming your way in the form of subject access requests and other types of data subject request is probably a good place to start.

Under the GDPR, the rights of the individual (data subjects) are focused in four specific areas.

Right to access: From the 25th May 2018, individuals will have increased rights to access personal information that organisations hold that appertains to them. Under the new provisions, such data subjects can discover where their data is held, what it is being used for, and they can also demand “free of charge” electronic copies of the data.

The right to be forgotten: This is probably far and away the most controversial aspect of the new rules in how it affects both the data subjects and the data controllers. From the entitlement to have all of their personal data erased to being able to potentially demand a cessation in the processing of the data, subjects now have much higher access to their personal information than ever before.

A right to portable data: One of the “best practice” recommendations under the new regulations is that personal data should be “packaged” in a format that makes it easily portable. This is to allow for the rights of the data subject in respect of having their personal information available should they wish to move, copy, or transfer it from one digital storage medium to another.

The right to notification in the event of a data breach: The European Union takes the whole area of personal data and its protection very seriously indeed. This is why one of the key rights of the data subject is that they will have the right to know if there have been any privacy breaches concerning their data that is held by businesses and organisations. With a 72 hour timeframe attached to such notifications, this is one area where businesses and other data controllers will need to be “on the ball”.

Coming up with the goods

Data controllers are therefore likely to be presented with various data request on behalf of the data subjects. From company employees to personal business clients and subscribers, they all come within the remit of the new regulations.

No one is going to argue that any business operation takes time and that, in turn, costs money. On the face of it, GDPR is offering your services to your data subjects for free. That isn’t, however, the full story. Data controllers will be entitled to charge a fee in circumstances where the data request are considered complex, repetitive, or unreasonable.


In the absence of a standard fee, businesses that deal with large amounts of personal data will need to ensure that they have systems in place that minimise the costs of extracting the data and making it available.

What you don’t have to provide

There will be certain circumstances where it will be considered inappropriate to comply with SAR’s and other types of data access requests. In the event of data being used for either criminal justice or within the taxation system, access to the data may be denied. Such instances for example as;

·         Detection and/or the prevention of criminal activities

·         The capture and/or subsequent prosecution of criminal offenders

·         In the instances of the collection and/or assessment of taxes

Such situations would exempt the data controller from their duty under the GDPR to provide such information to the data subject. It would also override the data subject’s right to such a data request.

Cutting through the jargon

If any of the above sounds confusing, the rule of thumb looks something like, any on-going taxation or criminal prevention/investigation procedures would, in effect, cancel out the rights of the individual to access such data.

Public regulatory activity

There is also some provision under the regulations for an exemption in situations connected to public regulatory functions. While this remit is likely to be limited only to bodies or organisations that carry on such activities as a “primary function” it is aimed at the following areas.

Protection of the public from dishonesty, incompetence, malpractice, and other behaviours considered as improper conduct. Health and safety are also cited along with the protection of charitable organisations and a proviso concerning fair business competition.

Such activities will only become exempt, however, if and when they fulfil one or more of following criteria:

·         They must be conferred under an enactment

·         A function of the crown, ministerial, or under the jurestriction of a government department

·         Some other type of public function that is being specifically exercised in the interest of the public

Refusing to comply with a data request

Bearing in mind that the time limit for SAR’s and other data subject requests will shift from 40 to 30 days, it is going to be prudent for data controllers to set the wheels in motion as soon as is feasibly possible. Prompt action is likely to be even more appropriate for requests that are complex or challenging in other ways.

While there are provisions under the GDPR for data controllers (any entity that holds and uses the data) to refuse a data request, the upshot of doing so will be taking on full ownership of why. In other words, the responsibility to substantiate such a refusal to the office of the GDPR will fall directly into the data controllers lap.

Avoiding the unthinkable

Due diligence and bulletproof data storage systems are going to lie at the heart of how successful businesses and organisations adapt to the GDPR after 25th May 2018. Personal data is already a highly sensitive area for businesses. The EU has well and truly nailed its colours to the mast in terms of exactly how seriously it is taking personal data security. It is also backing that ethos up with a very “big stick” in the form of some rather harsh penalties in the form of hefty non-conformity and personal data breach fines.

There is more than a little irony in the very real fact that those controlling our personal data are most at risk of, in effect, “tripping themselves up” in their handling of it. For this one reason alone it is crucial that not only are data request dealt with in a professional and prompt manner but that the strongest possible security is in place to protect such data. This includes ensuring that it is, in fact, only released into the hands of its rightful owners. By reacting swiftly to data privacy breaches and quickly complying with subject access requests, businesses will be adopting a highly proactive approach in how they handle personal data.  

Subscribe for free resources
& news updates.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form


stay in touch

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form