Subject Access Request – What every business owner is thinking about but no one is discussing

Since 1998 private and under privacy laws like the General Data Protection Regulation (GDPR), companies in the UK have been legally required to respond to Subject Access Requests, giving people the right to request all of the personal data that a business holds about them and to share this within 30 days of submitting the request (with some exceptions).

The number of requests being submitted in the UK has been on the rise for a while now and with the Data Privacy Group estimating SARs are costing UK businesses between £70,000 and £330,000 per year, it’s simply not something that UK companies can afford to ignore any longer.

Sam Gaskell, Founder and CEO of Hampshire-based data management consultancy, DataFit, is urging business owners to take note and act now: “For many businesses SARs are problematic due to insufficient data management, meaning people are pulled from current work to deal with requests in the 30 day window prescribed. Depending on the nature of the request, this can be a very laborious, time consuming and costly task for any company but it is one that can be avoided.

“Having the right storage, accessibility and retention framework in place can dramatically reduce the time spent collating information and responding to a SAR. If you consider that you can receive one at any time, on any day, they have the potential to be hugely disruptive, so having a slick data management set up in place provides a peace of mind that can’t be underestimated.”

According to research from Statista conducted with UK managers, approximately 31% of SARs come from employees or ex-employees, swiftly followed by 30% submitted by customers, then legal representatives.

Upon receiving a request, a business is required to provide back every piece of personal data it holds about that individual, including but not limited to; a copy of all personal data being processed e.g. name, DOB, email address, phone number, transcribed calls (if recorded). As well as supplementary information, including but not limited to; the purposes of processing, third parties who have received their personal details, the period for which the personal data will be stored.

Sam continued: “Ask yourself now; do you have data stored in one place or in multiple places? Is that data protected? Do you actually know what data you have? Are you able to access and retrieve the data you have? Are you aware of how long you should keep data for? Do you track when it is appropriate to archive or delete data?

“A lot of questions and they make up just a small piece of the data management puzzle. That said, if you get them right then SAR stress can quite easily become a thing of the past.

“If you received a SAR tomorrow, are you confident you’d be able to respond in a thorough and timely manner? If the answer is no, then reach out now as our team of experts are perfectly poised to help.”

DataFit looks to address and support the true gaps faced by businesses when it comes to data management, and then to fix them via its core services; SME and large business consultancy, as well as specialist recruitment services and bespoke training programmes. All of its services are designed to future-proof its clients, with DataFit’s experts educating at every opportunity in the hope of reducing long-term consultant dependency and costs.