Please may I have a copy of all the data you hold about me

These words can strike fear into the heart of many small businesses. Under the UK GDPR, individuals have the right to obtain a copy of the personal data an organization holds on them. This right of access, also known as a Subject Access Request (SAR), covers various data storage forms, including email, paper records, and even platforms like CCTV and MS Teams. Understanding how to handle a Subject Access Request efficiently is crucial for compliance and maintaining trust.

Recognising a Subject Access Request

A Subject Access Request can be submitted in multiple ways, such as formal letters, emails, or even through social media. It’s vital that your team recognizes these requests and knows how to document and escalate them promptly.

Steps to Respond to a Subject Access Request

Verify the Requestor: Ensure you are confident about the requestor’s identity without necessarily requiring formal ID.
Preserve All Data: Do not delete any data once a Subject Access Request is received, as this could be a criminal offense. Even if you don’t like what is written / said / recorded, don’t delete it!
Focus on Personal Data: Provide personal data relevant to the requestor, excluding operational information. For example, in scope is a copy of the individuals HR folder, or details of AML checks that you may have performed against the Client. Out of scope is the email exchange between the employee and a client, for example, arranging an appointment – this is ‘operational’ information and is not personal to them.
Engage IT Support: Use tools like Google Vault and Microsoft eDiscovery to extract necessary data.
Consider Third-party Data: Be mindful of data involving others and apply relevant exemptions under the UK Data Protection Act.
Use Redacting Tools: Remove any information not relevant to the requestor.
Deliver Data Appropriately: Return data in the format requested, ensuring secure transmission.

Delivering the Requested Data

Provide the data in the format requested by the individual, whether printed or electronically via secure methods like Microsoft SharePoint. Include a covering letter summarising what has been provided and any exclusions.

Handling a Subject Access Request efficiently is critical for compliance and maintaining trust with your clients. By following a structured approach and utilizing the right tools, businesses can navigate SARs effectively and avoid potential legal pitfalls.

Let's get the conversation started...

We’ve only been able to share some of the key points on how to manage a subject access. We’ll be hosting a webinar on September 19 to talk in more detail about the process, be sure to keep an eye on our News and Events page for details. In the meantime, if you require additional help, or have any queries, please contact the team.