GDPR - Do You Know your SARs from Your Elbow

Data protection puts the fear of God into lawyers, individuals and businesses and is enough for some lawyers to quit and emigrate. Interactions with data protection vary greatly from requests for access to a subject’s data to instructions to destroy a party’s personal sensitive information.

I Have Received A Data Subject Access Request, How Do I Handle It?

It would be tempting for clients receiving a Data Subject Access Request, to panic and either

• disclosing the incorrect information hastily or
• not disclosing such information.

When clients receive such requests, lawyers should be advising them to breathe, remain calm, composed and collected.

What Are Subject Access Requests And Why Are They Sent?

The majority of Data Subject Access Requests are motivated by persons asking affected organisation for their sensitive personal data. For example, those received by businesses from members of the workforce subject to disciplinary proceedings and/or disenchanted members of the public for many reasons. Such requests can drain business resources.

There Is A Set Format For Data Subject Access Requests, Isn’t There?

Many legal areas such as family law have specific rules governing the drafting of legal documents and courts may refuse to accept them. However, in contrast Data Subject Access Requests are not obliged to submit a Data Subject Access Request in a prescribed format.

Any Distinguishing Features?

Data Subjects can submit written and verbal data subject access requests. Lawyers and In-house legal teams need to advise clients on how to identify possible Data Subject Access Requests. They should ensure that clients as a minimum that:

• company policies and insurance positions are fully up-to-date so a potential breach does not invalidate any insurance policies or prospective claims.
• they have checked for the presence of a Data Protection Officer or a manager to carry out these functions.
• in the absence of such a position, clients need to have ensured that such a person is appointed to the respective position, and
• clearly instructing the workforce and clients to direct such data protection queries to this appointed person.

The Clock Is Ticking…?

When Data Subject Access Requests are received before assessing timings the person making the request to access the personal date needs to be identified. It is important because the identity needs to be carefully checked and verified against some form of photographic identification document such as a passport to confirm their identity. The time limit of 72 hours begins counting down from the moment it is received. However, there is scope for stopping the clock. Lawyers need to advise their receiver clients to be reasonable and provide a response to such requests within one month of receipt because the Information Commissioner may perceive a delay in responding as a breach of data protection.

What If It All Goes Wrong?

Client should be advised that the Information Commissioner takes breaches of data protection very seriously and it may take action such as:

• conducting an investigation to see if any violations of any data protection regulations have been committed,
• enforcing the data protection regulations, and
• imposing any sanctions such as fines and damages to the data subject.

Patrick Wheeler from Collyer Bristow recommended for businesses to reduce the stress and the risk of violation by investing its resources in preparing for data subject access requests. However, despite this preparedness, clients can still be caught out and should consider the following options:

• keeping updated their procedures and policies
• obtain legal advice from an external data protection advisor and/or
• an independent advisor.

ASSESSING FIRMS

#LinklaterLLP #HuntonAndrewsKurthLLP #HoganLovellsLLP #Fieldfisher #BristowsLLP #Bird&BirdLLP #Allen&Overy #BakerMcKenzie #CMS #Covington&Burling #Dentons #DLAPiper #EvershedsSutherlandLLP #Latham&Watkins #DWF

THE ARTICLE WAS WRITTEN USING THE FOLLOWING SOURCES

[1] Wheeler, Patrick – How should HR teams manage data subject access requests – People Management - 31 March 2022 - How should HR teams manage data subject access requests? (peoplemanagement.co.uk)

[2] Information Commissioner – Your Right of access - Your right of access | ICO

[3] Greenall, Beth – How to Respond to a Data Subject Access (DSAR) – IT Governance - 16 April 2020 - How to Respond to a Data Subject Access Request (DSAR) (itgovernance.co.uk)

[4] General Data Protection Regulation

[5] Section 40 – Data Protection Act 2018 - Data Protection Act 2018 (legislation.gov.uk)