Subject Access Requests - Part 2
Unlock This Video Now for FREE
This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.
Guidelines for Handling Subject Access Requests (SARs) under GDPR
Verification of Identity
Essential Checks: Verify the identity of the requester to avoid data breaches.
Known Customers: If the requester is a known customer, additional proof may not be required.
Third-Party Requests: Requesters acting on behalf of others must provide legal proof of entitlement.
Refusal Protocol
Reasons for Refusal: Only refuse requests if they are manifestly unfounded or excessive.
Consultation: Seek guidance from the Information Commissioner's Office before refusal.
Notification: If refusal occurs, inform the individual and provide avenues for appeal and complaint.
Information Provision
Data Disclosure: Provide all personal data held about the requester, including identifying information.
Comprehensive Details: Furnish information about your company, data processing purposes, retention periods, and lawful basis.
Delivery Methods
Ideal Approach: Utilize an online portal for secure and convenient access to data, recommended by the ICO.
Alternative Methods: If a portal is unavailable, provide data via email attachments or printed documents.
Format Preference: Honour format requests; respond in the requested format, be it printed or electronic.
Social Media Requests
Cautious Response: Responding via social media may risk data breaches; confirm identity and switch to email for secure communication.
Data of Third Parties
Consent Requirement: Obtain consent from third parties before disclosing their personal data.
Anonymization Option: Anonymize data if feasible; avoid disclosing identifiable information of third parties without consent.