Handling Subject Access Requests (SARs)

Many businesses are seeing an increase in data subject access requests made by customers or employees, as individuals become increasingly aware of their data subject rights. A data subject request (DSAR or SAR) is fairly easy to make, with many template letters available online, but may take many hours and resources when it comes to handling a response.

The current landscape has the potential to be a perfect storm for business when it comes to data management. There is increasingly more data held by companies than ever before, and this, combined with growing levels of public awareness of their own rights relating to personal data, may make responding to a SAR overwhelming.

Businesses have to deal with growing numbers of SARs, with growing levels of complexity, which requires effort, knowledge and skill to navigate. A failure to navigate these challenges could lead to exposure to costly compensation claims and/or Information Commissioner’s Office enforcement action, or even sharing sensitive data inadvertently.

At JMW, we will help you deal with SARs, improving your management systems and processes, reducing the time and resources required for your company to handle them, and reducing your exposure to risk.

To speak to a solicitor about handling SARs, contact JMW today by calling 0345 872 6666. Alternatively, complete our online enquiry form to request a call back at your convenience.

How JMW Can Help Your Business

We will help you understand:

• Your obligations
• Exceptions and refusals
• Exemptions
• Where SARs may be a precursor to litigation, and what your obligations are in responding to the SAR

We have many years of experience ensuring our clients are compliant with strict data protection regulations.

FAQs About Handling Subject Access Requests

Who must deal with subject access requests?

Anyone who holds data on an individual may be responsible to deal with subject access requests. If you are a data controller, it your responsibility to respond to a SAR. A data controller is any organisation that ‘determines the purpose and means of personal data processing’. If you are a data processor, you should deal with any request as agreed with the data controller.

Can you charge for subject access requests?

In most cases, you are not able to charge for a subject access request. However, in some limited circumstances, you can charge a reasonable fee if the SAR is manifestly unfounded or excessive, or an individual requests further copies of the data.

What is a ‘manifestly unfounded or excessive’ request?

A data controller can refuse to comply with a subject access request if it is ‘manifestly unfounded or excessive’.

Manifestly unfounded means that the data subject has no clear intention to exercise their right of access, has made the request with malicious intent, or aims to harass a company with no real purpose other than to cause disruption.

Manifestly excessive means that a request is not proportionate with the burden or costs involved in handling the request. When considering whether a request is reasonable or not, data controllers must consider the following:

• The nature of the requested information
• The context of the request, and the relationship between the individual and the company
• Whether refusal to provide information may cause substantial damage to the individual
• The available resources
• Whether the request largely repeats previous requests and a reasonable interval has not elapsed
• Whether it overlaps with other requests

Importantly, it may be necessary to engage with a data subject to understand that request before declining on the basis that is is manifestly unfounded or excessive.

What is the time limit for responding to data subject access requests?

Once a data subject has made a SAR, you have one month to respond. In some limited circumstances, such as cases where the request is complex, you may be allowed more time but you must inform the data subject within one month what the reason for the delay is.