When a company receives a GDPR subject access request (SAR), they are legally obligated to respond promptly and appropriately to ensure compliance with data protection laws.
Here is a guide on how companies should respond to a GDPR subject access request:
1. **Acknowledge Receipt of the Request**: Upon receiving a SAR, acknowledge receipt promptly, ideally within a week. This acknowledgment can be a simple confirmation email to the individual making the request, acknowledging that their request has been received and is being processed.
2. **Verify the Identity of the Requestor**: Before disclosing any personal data, it is essential to verify the identity of the individual making the SAR. This helps prevent unauthorised access to sensitive information. Requestors may need to provide photo id, such as a scan of their passport, proof of address and account security information to confirm their identity (also known as KYC).
3. **Assess the Request**: Review the scope and details of the SAR to understand the specific information requested and the timeframe within which the data must be provided. Determine whether any exemptions or limitations apply to the disclosure of certain types of personal data, such as legal privilege or third-party information.
4. **Retrieve and Compile the Requested Data**: Once the identity of the requestor is verified and the scope of the request is understood, begin gathering the relevant personal data. This may involve retrieving information from various sources within the organisation, such as databases, emails, messages and paper records. Ensure that all requested data is compiled in a clear and understandable format. You will more than likely have to redact any personal information that relates to other persons
5. **Provide the Response**: Respond to the SAR within the timeframe specified by the GDPR, usually within one month of receiving the request. Provide the requested personal data to the individual in a secure manner, such as encrypted email or through a secure online portal. Include any necessary explanations or context to help the individual understand the information provided.
6. **Inform About Any Exemptions or Limitations**: If certain exemptions or limitations apply to the disclosure of personal data requested in the SAR, clearly communicate this to the individual. Provide explanations for why certain information cannot be disclosed and inform them of their rights to challenge the decision or seek redress.
7. **Offer Assistance and Clarification**: Be available to answer any questions or provide further assistance to the individual regarding the information provided in response to their SAR. Offer clarification or additional context if needed to ensure they understand the data disclosed.
8. **Document the Response**: Keep detailed records of the SAR and the organisation’s response, including any communications with the individual, steps taken to verify identity, and the data provided. This documentation is essential for demonstrating compliance with the GDPR in case of audits or regulatory inquiries.
9. **Review and Update Internal Processes**: After handling a SAR, review your organisation’s internal processes and procedures for handling such requests. Identify any areas for improvement and update policies or training as needed to ensure ongoing compliance with data protection laws.
10. **Delete KYC Documents**: If the individual (Data Subject) has provided you with copies of their photo ID, passport, etc, solely for proof of identity in relation to the SAR, then you should securely delete their KYC documents from your systems.
By following these steps, companies can effectively respond to GDPR subject access requests, respecting individuals’ rights to access their personal data while ensuring compliance with data protection regulations.
