Handling Subject Access Requests Under GDPR
Article 15: Right of access by the data subject
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data…
What is a Subject Access Request?
A GDPR as a right of , entitles an individual the ability to view what information an organisation holds about them. This type of personal and additional information that should be accessible includes the following scenarios.Data Access Request (SAR), referred to in the
‘the purposes of the processing’
What have you, or what do you intend to do with thesubject’s personal ? Is it for marketing purposes?
‘where possible, the envisaged period for which the personalwill be stored, or, if not possible, the criteria used
to determine that period’
How long do you intend to store this information? Do you keep personalindefinitely or is it stored and then destroyed after a certain period of time?
‘the existence of the right to request from the controller rectification or erasure of personalor restriction of processing of personal concerning the subject or to object to such processing’
Thesubject can request that the stored is corrected in the event of an error.
So what are the basic requirements of an organisation when faced with a Subject Access Request?
According to the GDPR has brought in is the length of time an organisation has to respond to the SAR. The current Data.wordlift.io/wl0463/entity/data_protection_act_1998″>Data Protection Act (DPA) makes 40 days available to you to comply. GDPR now gives you a month to gather the information and respond accordingly.‘s Office (ICO), one of the biggest changes the
In certain circumstances, an organisation has the right to refuse the request on the grounds that it is ‘manifestly unfounded or excessive’. Refusing a request must not be done lightly. Practicing GDPR means that you need to explain your reasoning, as well as giving the subject the right to complain and appeal. Again, this must be conducted within a month.
What makes a good Subject Access Request plan?
As with much of the GDPR, planning and preparation is key to a lifetime of living and breathing better protection. Even small organisations could find themselves having to handle a number of Access Request that can sometimes be time-consuming. This is why a practised SAR plan is essential to keeping your business moving.
Staff training and ownership
Identify the members of staff that will be managing the document that training has taken place and what it involves. Then the next step would be to devise a method of assigning new requests to those individuals when they come into the business.of Access Requests. Get them the right training and make sure they fully understand the that you have put into place. Make sure you
Privacy impact assessments
Undertake privacy impact screening and assessments, which is a way for organisations to identify and minimise privacy risks. They are a way of catching issues early on and maintaining the trust in your brand.
The ISMS.online track for a Subject Access Request
Integrate with an Information Security Management System
As we have said before, keeping track of all work and actions, including your planning and any mistakes or errors that occur, is an essential part of GDPR compliance. Integrating your GDPR work into a wider information security management system will make that much easier for you. Also, if you provide your staff with a clear work-flow to follow where they can keep track of their work, you are more likely to succeed.