What is a Subject Access request?
A Subject Access Request (SAR) enables individuals to find out what personal data you hold on them, why you hold it and who you disclose it to. The GDPR enforces strict parameters on the way these requests are dealt with.
You may already be familiar with SARs. However, under GDPR, the conditions upon which requests are processed are more stringent:
- All SAR requests must be free of charge. The only exception is if the request is ‘manifestly unfounded or excessive,’ where an organisation is entitled to charge a ‘reasonable fee.’ You may also charge a ‘reasonable fee’ to comply with requests for further copies of the same information. Where requests are manifestly unfounded or excessive, in particular because they are repetitive, you can refuse to respond. If you do this you must explain why to the individual, informing them of their right to complain to the supervisory authority.
- You will be required to respond to SAR requests within one month. You can extend this period, provided the original SAR is acknowledged within a month, with an explanation of why the extension is necessary.
What they are entitled to know
A data subject is entitled to certain information about the way their data is being used. Therefore, these are the things you should tell them when responding to an SAR request:
- What – the categories of data being held e.g. email address, postal address, telephone number, credit card number.
- Why – the purpose for which their data is being held.
- Who – with whom their data is being shared or sold to.
- When – how long you plan to hold on to their data for, or what methods you will use to decide how long to hold on to their data.
- How – how you obtained their data.
- And – whether or not any automated decision making is involved in the processing of data.
These categories are useful when you think about how to structure your database systems to enable you to easily answer such questions. You should remind anyone who makes a SAR of their rights as enshrined by the GDPR:
- The right to lodge a complaint to the ICO.
- The right to request rectification, erasure or restriction of the relevant data.
What you need to do
The fact that SARs are now free of charge may well increase demand. This means your organisation needs to become familiar with recognising them and create and test a procedure to respond to them before the law comes into place. Most cultural organisations will be gathering marketing data but you’ll need to be aware of other places in the organisation that hold data such as: fundraising, learning and outreach teams.
This may require having a dedicated staff member to process SAR requests, or implementing SAR policies and procedures that your team can recognise and follow.
Spot the difference – A subject access request is different from a Freedom of Information (FOI) request. SARs come from data subjects requesting to know what information held about them by an organisation or company. A FOI request isn’t just personal data. It can include any recorded information held by a public body. Finally, Freedom of Information legislation applies particularly to public sector organisations, whereas all organisations must comply with a SAR. Cultural organisations that are also public sector organisations may include local authorities’ cultural programmes and properties or publicly funded museums.