Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

When is a SAR not a SAR?

by Adam Brogden
in Blog

13-Dec-2018 13:32

GDPR includes a number of important rights for data subjects. The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.

Managing a Subject Access Request is probably the most important process you need to establish for your organisation. Don’t forget that a SAR can be made verbally or in writing – you need to ensure you capture verbal SARs, the same rules apply to both.

Individuals have the right to obtain the following from you:

  • Confirmation that you are processing their personal data

  • A copy of their personal data

  • Other supplementary information – this largely corresponds to the information that you should provide in a privacy notice

The GDPR does not specify how to make a valid request. It can be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.

A request does not have to include the phrase 'subject access request' as long as it is clear that the individual is asking for their own personal data. This can be tricky as potentially any of your employees could receive a valid request and you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly.

So, when trying to decide whether or not a request should be treated as a SAR you should consider the following:

  1. Confirm with the data subject why they are making the request – it may be that they are simply looking for account information and don’t really need to raise a SAR.

  2. Ask what information they want – they might need less than a full SAR response saving you lots of time and effort.

  3. Try to resolve their problem in other ways. They might not need a SAR at all.

However, always play safe! If it looks like it could be a SAR then treat it as a SAR. Respond quickly, politely, and professionally. Make sure you follow your SAR processes and record everything!

If you have any questions please feel free to call us. The has an inbuilt SAR Management tool to help you through the process and keep a log of all actions. Keeping an audit trail is very important.

Don’t forget, we are always happy to help.

Good luck all!