Subject Access Requests have a big impact post GDPR
Under the EU General Data Protection Regulation (GDPR), individuals have the right to ask an organisation processing their personal data to disclose what information they are holding – this is called a Subject Access Request (SAR). It is not a new right, it was there under the Data Protection Act 1998, but GDPR introduced some changes that made the process for exercising that right a little easier.
GDPR abolished the standard fee for making a SAR and demands organisations provide individuals with copies of their personal data within one month, free of charge - unless there are exceptional circumstances.
As a result of the changes, perhaps not unexpectedly, there has been a sharp increase, across all sectors, in the number of SARs reportedly being submitted by individual data subjects.
In a recent survey of 237 GPs and practice managers for a health service publication, 57% of respondents said that they had seen a significant rise in SARs since 25th May. This has created many hours of extra work and escalating costs for the practices.
Other research has indicated that there has also been a significant increase in the number of SARs submitted by existing employees or former employees. Some of these may be motivated by litigation and recent guidance from the courts suggests that they cannot be refused.
It’s important to make sure that staff members recognise a SAR when they see one and that there is an appropriate procedure in place for dealing with it. Any unnecessary delays could affect the one-month deadline and lead to sanctions from the Information Commissioner. We have recently released a one-day course which solely focusses on Dealing with Subject Access Requests. It is delivered by our GDPR expert, Peter Blenkinsopp and will take you through the process step-by-step.