How to protect data is increasingly coming under the scrutiny of the international press particularly with the rise in ransomware attacks and hacking with the aim of gaining illicit access to sensitive information. The General Data Protection Regulation (GDPR) in the EU is also forcing organisations to consider how they manage the risk of collecting and using Personal Identifiable Information (PII). One of the problem areas, that GDPR will enforce, is that of being able to respond to a Subject Access Request.
So let’s cover the basics… what is a Subject Access Request?
The Information Commissioner’s Office (ICO) is an independent body who uphold information rights in the United Kingdom and defines a Subject Access Request (SAR) as follows:
As a resident of the EU you have a right to get a copy of the information that is held about you. This is known as a subject access request. This right of subject access means that you can make a request under the General Data Protection Regulation (GDPR) to any organisation processing your personal data.
You can ask any organisation, globally, you think is holding, using or sharing your personal information.
Those rights don’t stop at gaining access to a copy of personal data currently in use or stored by any given organisation. The GDPR layers on additional end-user rights including the right to erasure (also known as the Right to be Forgotten), rectification (if incorrect) and portability (if you want to change services).
These requests do not have to be in any particular format but if the request is submitted using electronic means (for example email or web form) then the information must be provided to that person using a commonly used electronic form such as PDF.
So why is this such a threat to many businesses?
The truth is that it all comes down to preparedness. The request itself can be innocuous but the ramifications to a business that is unable to meaningfully respond are anything but.
Organisations, in most cases, will have 30 days to acknowledge and respond to any such request. That is 30 days to on-board the request, figure out what needs to be done, organise the relevant people and technology, find the relevant information, review the information for relevance, redact sensitive or non-related information, produce a final response data set and then transfer back to the data subject.
That is a lot of activity and one which is traditionally handled, or driven, by "legal"
…and that is for 1 single Subject Access Request.
What if you received 5 requests at the same time? What if you received 50 requests? What if you received 50 requests at 4:59pm the day before Christmas, Thanksgiving, Diwali, Chinese New Year Eve (insert your favourite public holidays here)? This is where a Subject Access Request can suddenly become a choke point in your compliance preparedness and a tangible risk to your business.
If your response time is pegged at the speed in which those various individuals can crank out a response, then you will be vulnerable and if you’re really unlucky you may be targeted by “SAR chasers” (nefarious individuals who identify and chase small financial claims against organisations that are unable/unprepared to respond – simply because paying out a small claim to these individuals is preferred to being reported to the local regulatory body).
So, ask yourself these questions; Can we respond? Can we respond in 30 days? Can we respond in 30 days and prove that fact?
If the answer is no to any of the above, then you may need to rethink your response capabilities and how prepared you are for dealing with a Subject Access Request. At Veritas, we have been helping organisations comply with data protection regulations for many years. See how we can help you build a meaningful Subject Access Request response mechanism here. If you’d like further advice, then please feel free to get in touch with us.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.