Data subject access requests (DSARs) will need to be fulfilled under GDPR and CCPA starting in 2020. In order to assist organizations operating under both the new California Consumer Privacy Act and the European Union’s General Data Protection Regulation, we have put together this handy guide to the differences between the key data subject access request rights under the two privacy laws.
The General Data Protection Regulation gives data controllers one month to complete a subject access request. This time starts from when the Council receives a clear request and enough identification to be sure that the request is from the data subject.
Some social care files are very large and may take longer than a month to complete. If this is the case with your request we will contact you.
The ability to make a subject access request (“SAR”) is arguably the most exercised data protection right available to individuals. Failure to implement a suitable SAR response process or to respond properly to a SAR may attract a top level GDPR fine. SARs can be directed to any individual within an organisation. They need not be described as a “subject access request” and no reference needs to be made to GDPR Policy Template. They can be made in any format whether verbally or in writing by e-mail, post, social media or fax. It is therefore crucial that all employees recognise a SAR if they receive one and know how to deal with that SAR, usually by forwarding the SAR to a point of contact or a team within the organisation that is capable of responding to the SAR in line with GDPR.
There are a number of issues that should be considered each time a SAR is received, including:
Is further ID for the data subject required?
By which date should a response be provided?
Has the data subject made a general SAR, or have they limited their request to certain information only? Could restriction of the request be encouraged?
To what extent is the information personal data?
Are other individuals referred to and is there a risk of breaching their data protection Policy Template rights if certain information is disclosed?
Can the process be facilitated by providing entire documents, even if the documents contain more than personal data? Is the other information in the documents commercially sensitive?
Have all relevant systems and locations been searched?
Can you adopt an improved data minimisation process to reduce the level of information you process that may need to be provided pursuant to a SAR?
According to the Information Commissioner‘s Office (ICO), one of the biggest changes the GDPR has brought in is the length of time an organisation has to respond to the SAR. The current Data Protection Act (DPA) makes 40 days available to you to comply. GDPR now gives you a month to gather the information and respond accordingly.
In certain circumstances, an organisation has the right to refuse the request on the grounds that it is ‘manifestly unfounded or excessive’. Refusing a request must not be done lightly. Practicing GDPR Training means that you need to explain your reasoning, as well as giving the data subject the right to complain and appeal. Again, this must be conducted within a month.
The first step to responding to a SAR is to identify it. The GDPR does not specify how an individual can make a valid request for information Data protection impact assessment . A subject access request can be written or verbal, and it can be made to any part of your organisation including social media.
Therefore, it is best to assume that if an individual asks you for their personal data, regardless of the channel or mode of communication, it constitutes a valid subject access request under the GDPR. It is advised that basic training on the GDPR should be provided to all staff members and managers within an organisation.
Your employees should be able to recognise a SAR and pass it on to the relevant focal person who can handle the request.
The GDPR cookie consent requires you to respond to a SAR within one month i.e. 30 days of its receipt. You must get back to the individual with the requested information without undue delay.
However, you can extend this time period to up to three months if the request is complex, or if the same individual has made a high number of requests. In this case, you must inform the individual that you need more time within one month of the request to avoid any legal issues.