What to do when you receive a SAR
Unlock This Video Now for FREE
This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.
Subject Access Request Policy
Importance of Policies and Processes
Record Keeping: Having policies and written processes in place aids in handling subject access requests (SARs).
Employee Awareness: Ensure all employees are trained to recognize SARs and report them promptly to the relevant department.
Handling SARs
Request Fulfilment: Individuals have the right to confirmation of data processing and a copy of their data, along with any supplementary information.
Request Logging: Maintain a log of all SARs, especially verbal or in-person requests, including the data requested.
Verification: If unsure of the requester's identity, ask for necessary information to confirm their identity, but avoid unnecessary delays.
Response Procedures
Response Time: Respond to SARs within one calendar month; many organizations aim to respond within 28 days to ensure compliance regardless of the month's length.
Fee Policy: Do not charge a fee for responding to SARs unless justified as a reasonable administrative cost.
Refusal or Delay: Refrain from refusing or delaying SARs unless they are repeated, manifestly unfounded, or excessive.
Communication with Data Subjects
Informing Data Subjects: Notify data subjects of any decision to charge a fee, refuse, or delay their SAR, and inform them of their right to lodge a complaint with the ICO.