Privacy Laws

What do I need to know about Subject Access Requests?

By Dominic Walker, solicitor at JMW Solicitors’ Media and Entertainment Department on Data Law matters and data rights for individuals.

When the Information Commissioner Elizabeth Denham released the organisation’s annual report in the summer, it came as no surprise to see that the highest number of complaints – 38 per cent – were under the category of Subject Access Requests (SARs). This figure is similar to the number of complaints received under the old Data Protection Act 1998. While these statistics do not reveal the breakdown of complaints, it is very likely that the delay in responding to SARs is a big contributing factor.

The Information Commissioner’s Office has made two high-profile enforcements in the past six months, both relating to delayed responses to SARs. The recipients of the enforcement notices were Metropolitan Police Service and Hudson Bay Finance Ltd, both of which failed to respond to SARs on time.

But what exactly is an SAR, and how and why would members of the public choose to make one? In this article, we will explore the issue and provide practical advice on how to make one, as well as considering what to do if your SAR is ignored.

What is a Subject Access Request?

It is a common misconception that GDPR in 2018 was the advent of SARs, but the SAR is nothing new. Individuals have been able to make these requests for over 20 years. An SAR is your right to obtain copies of your personal information from an organisation that holds your data.

Two of the major differences between the old Data Protection Act 1998 and the GDPR/Data Protection Act 2018 are that data subjects now do not have to make a payment, whereas previously there was a fee, and the time that an organisation has to respond to an SAR has been reduced from 40 days under the 1998 Act to one month under the GDPR. This timescale is subject to some circumstances when the time can be extended by two months, but, in any event, the data subject should be informed in the first month that there will be a delay and the reason for the delay.

What if there is a delay

The recent rulings from the ICO beg the question, why are data controllers so bad at responding to SARs? The principle is simple; an individual makes a request, then the data controller should collate the data and forward it to the data subject. In my experience handling compensation for delayed requests, the failings of data controllers broadly fall into three categories: ignorance, lack of resource and incorrect approach.

In terms of ignorance, some data controllers simply ignore the SAR and hope it will go away. This could be because of a lack of education and understanding, especially among smaller companies, but this ‘bury the head in the sand’ approach is never going to work. In other cases, data controllers may lack either time or the correct procedures so will generally respond when they have the chance to do so. However, that approach is also inadequate, because GDPR is very specific in terms of time to respond.

If you have made a request that has gone ignored, you can bring a legal action for ‘non-material damage’ under Article 82 of GDPR. The basis could be, for example, distress caused as a result of the data controller’s failure to respond to the SAR or the delay in responding. It may also give the individual the right to apply to the Court for an order to force the data controller to provide a copy of the data.

What does the future hold?

GDPR and SARs should be embraced by the general public. This is an opportunity for ‘us’ as data subjects to know which organisations are storing our data, how the data is being processed and to receive a copy of the data. It is also an opportunity for data controllers to be more transparent about the data they store and how they process data and provides them with the chance to reflect on whether they store too much data.

Subject Access Requests are here to stay, so it is crucial for organisations to acknowledge this fact and get better at responding to them. Those that do not will face the wrath of the ICO, as well as individual lawsuits from people seeking legal action and the subsequent cost of compensation.