In today’s data-driven world, every other company and application collects a significant amount of important data and individual’s personal information such as name, email ID, address, date of birth, ID number, credit card information, and online behaviours, history and much more. Sharing data has become an essential component to many businesses and organisations; it allows the data controller and data subjects to stay connected and collaborate on many things.
We have observed this lack of awareness during our compliance assessments and security compliance reviews. Although the regulatory bodies have been promoting individual rights and access to personal data, many people are still unaware of the process to demand openness by public bodies or transparency in terms of data protection.
This article aims to guide users on UK GDPR Subject Access Request, subject access request procedure and answers the fundamental questions that every individual must know about their rights and access to their shared personal data.
What is a data subject access request?
Data Subject Access Request, also known as DSAR or simply SAR, is the same as the European Union GDPR and grants similar rights to the UK residents. UK GDPR defines the SAR as the right of a person to demand or access a copy of their collected personal data and other information. The same individual can initiate the SAR, or he/she can nominate a third party (e.g. your family members, friends, etc.) to request disclosure of shared information on behalf of them.
The purpose of giving the right of access to the individuals is to ensure data protection in every aspect of processing, privacy for individual search and promoting openness by public bodies. The right of access allows any individual to obtain a copy of their personal data and other supplementary information from the companies. It is a fundamental right.
What can you ask for in a data subject access request (DSAR)?
Since the UK-GDPR has provided data privacy for individuals with the power to ask organisations about their recorded information either verbally, in writing or through social media, concerning this, you can verify the lawfulness and transparency of your collected and processed data by directly reaching the officials or by contacting them on social media. While making a data subject access request, you can ask about
- Amount and list of collected personal data
- Data processing details
- Data handling details
- How is the data being stored within the organisation?
- Whom they are sharing your information.
- From where they collected your data etc.
Is there any standard form for data subjects to make a request?
No, GDPR does not specify how an individual can make a request. There are no standard forms for data subjects to legislate Subject Access Request. However, recital 59 of UK GDPR has recommended that organisations and businesses provide means for making a DSAR.
It says, “provide means for requests to be made electronically, especially where personal data is processed by electronic means.”
Nevertheless, any inquiry made or submitted by email, letter or verbally would carry equal weight, and the organisation must have to fulfil the subject request of disclosing their personal information.
Can someone on behalf of you make a request?
The answer is yes. Any person can nominate another individual or third party to request on behalf of them. However, in such requests, the third party, i.e. the selected person, will have to prove the permission request authorised given by the primary information holder and satisfy the organisation’s demand that the request is authentic. They can do so by providing an authority letter or signed request by the data subject.
Can you request on social media?
Yes, as mentioned above, the UK GDPR has set no boundaries for making a subject access request. You can send access requests via any of the organisation’s social sites. However, this is not a thoughtful approach, but there is still no harm in doing so. While making a subject access request through a social channel, make sure to provide the alternative contact or information address to receive the response or record of your personal information.
Can the organisation charge you for making DSAR?
The DSAR is absolutely free, and the organisation cannot entitle you to pay any fee or charges in reclaiming your data. However, there are some exceptions. If the DSAR is ‘manifestly unfounded or excessive, ‘ the organisation can charge a reasonable fee to provide the requested information.
Caution is advised to companies considering such requests because there are no defined thresholds when you charge a reasonable fee. ICO suggests organisations calculate charges based on administrative costs incurred to provide the information.
What is the time limit for the organisations to fulfil the access request?
Under the UK GDPR, DSAR has timescales of one month for organisations on SAR policy. During this tenure, the organisation must respond and clarify the receipt of the request.
How does a subject access request work?
There is no particular format that needs to be followed when someone decides to make a subject access request. You can email, call or visit the organisation and ask them to disclose your collected and processed information regarding UK-GDPR. Whether you ask verbally or in writing, you will then be entitled to provide a copy of your personal information. It is a good practice for organisations to have internal GDPR subject access request procedure ready that addresses any concerns on the topic as they arise.
When you make a subject access request, you do not need to mention the purpose or describe the necessity to the organisation about why you need it and what you would do with the information copies. The only thing you need to provide is a clear message for asking about your own personal data.
You can also follow these guidelines while making a subject access request.
- Identify what information you need so that you can ask for the same or make the correct application.
- Call or email the organisation and drop the SAR around the information that you need.
- Do not forget to add relevant information about yourself (such as full name, contact number, email address, home address, ID numbers, etc.). This information would help them to identify you as a legitimate requester and to send your information.
- If you need any specific data or specific details, do mention them
- Add the one-month timescales reference, which is granted by the legislation.
- Keep records of details and request sent by you to the organisation
It is unnecessary to tell your reasons for making the request, but there is no harm in providing your intentional objective of SAR. This will help the organisation to have a clear idea of SAR and help to find relevant information.
What to do if the organisation refuses your subject access request (SAR)?
The Information Commissioner’s Officer, ICO, has issued the guideline for data protection and privacy for the individual. The guideline content is available on the ICO official website. ICO guidelines provide a clear understanding of information regarding the rights of access.
An organisation may refuse a SAR if the request is ‘manifestly unfounded or excessive. What does this mean?
This means if either of the following is true:
- If an individual makes a request but then offers to withdraw it after some form of benefit from the company
- If an individual is making a request with malicious intent and with the possible purpose of causing disruption (unsubstantiated accusations, targeting employees for personal reasons, explicitly states their intent to disrupt)
GDPR right to access example
An individual makes a SAR to an online gaming store for their personal data and states it’s done according to UK GDPR right of access. However, they have specified withdrawal of their request if the organisation credits their bank account with a specific sum of money.
In this case, the company can deem this request ‘manifestly unfounded or excessive.
If any organisation denies your subject access request or refuses to share relevant information held by them, you can reach out to ICO on 0303 123 1113 to log your complaint.
It is crucial to understand YOUR data is your intellectual property, and it belongs to you. You have the rights to be informed of how your data is being used and who has access to your data. To protect everyone’s rights over their personal data, the UK GDPR has granted the data subject a right to access requests on how their data is being used and processed. It comes under the UK GDPR compliance with the name Subject Access Right.
Therefore, people should be mindful while sharing their personal information with any person, organisation or website (in the form of a cookie, payment info, username, password, etc.) because if the data get breached or leaked through any source can compromise their confidentiality. To keep track of their shared information/data, people can ask the organisation to disclose their collected and processed data.
At Cyphere, we help organisations achieve security & privacy compliance with best in class technical skill-set and consulting expertise. Get in touch with us to discuss security concerns or queries.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.