Subject Access Requests – what should you do?

Some smaller organisations don’t fully understand how to handle Subject Access Requests (SARs), Compliance Compendium chief business development officer Gareth Gadd explains how to go about it.

It’s just part and parcel of modern life that a lot of organisations hold electronic data about us. Data can lurk in many places, whether in databases, accounting software, spreadsheets, electronic documents or emails. Many smaller organisations, whether charities or SME’s, have taken the approach that they are too worthy or too small for the Information Commissioners Office to be interested in them. Maybe you work or volunteer for one of these organisations?

We all know that our data is valuable and needs protecting. Many good organisations store data about people to help make their interactions easier, but there are always others who have other intentions.

The latest research conducted by RegTech Analyst has shown investors have poured over $200m into companies addressing GDPR since June 2017.

Sometimes, smaller organisations don’t fully understand their legal responsibilities about how to handle SARs from members of the public. Bulk SAR requests have also hit some of our prospects, but that is only anecdotal. So what happens if you receive a request from someone asking what data you hold about them?

What could you do? What should you do?

You could do nothing. The law says you have 30 days to respond and failure to handle SAR’s in time can lead to a fine from the ICO. Doing nothing is not an option, so what should you do?

First you have to check that the request for the data is legitimate. Are they really are who they say they are and do they have a right to know the information? How much information should you send?

When it comes to responding, you have to send that information securely to the individual. You can’t just email it. What if you send the email containing the information and it is intercepted by someone trying to find out sensitive personal details? There are big fines for releasing data insecurely! If you have not adequately prepared then you may find that you have to divert resources away from your main business.

Compliance Compendium’s software helps organisations to handle SARs in a legally compliant way and allows them to display progress made in event of an inquiry by the Information Commissioner’s Office.

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.