A subject access and deletion request system is a software program or set of procedures that help manage and process individual access requests. These systems allow users to log the requests and easily track their progress up to conclusion. Organisations can use the system to easily search and filter all the requests to check if there are duplicates, and allocate the tasks to staff members.
Dealing with a data subject access request without a good system can be time-consuming, arduous and costly. All subject accesses requests have a 30 day responding time, which can only be extended for two more months if the request is complex or when the controller has several requests. The failure to comply with a request can lead to a data subject filing a complaint with the Information Commissioner's Office (ICO). These complaints can have serious financial consequences, which are up to 4% of the organisation's annual turnover.
There are a variety of specialist data subject access request software applications on the market, although most businesses get by as best they can using a combination of CRM and spreadsheets. This can make it challenging for organisations to choose the best and most appropriate system. Below are some must-haves for a GDPR document management system.
The software must provide a DSAR portal to allow users to request access to their personal information or request deletion easily.
The system should provide a centralised view of all data subject access requests.
The system must provide the required workflows to process all requests in the organisation.
The system should have reporting tools and logs to show that the DSARs were processed within the GDPR Policy Template specified time.
The DPA enshrined the GDPR into UK law. All healthcare and other organisations have to comply with this legislation which introduced several significant changes to the way a SAR should be handled under the EU Representative law. The changes included:
The SAR does not have to be in writing but can also be verbal and even by social media.
The subject cannot be charged for copies of records unless the request is 'manifestly unfounded, excessive or repetitive'. You could then charge a reasonable fee. More detail is given on this below.
You need to provide the information within one calendar month rather than the previous timeframe of 40 days.
In Scotland, children aged 12 or over are presumed to have sufficient age and maturity to access their own records. In England, Wales and Northern Ireland competence is assessed on a case by case basis. An older child may have capacity to consent and if they do, they should be asked for consent. Competent children may refuse access to their records unless the doctor believes disclosure is necessary to protect the child or young person, or someone else, from risk of death or serious harm.
You should document access requests, reasons for any delay in providing the information and if requests are 'manifestly unfounded or excessive'. You should also document information provided about the right to complain to the ICO or judicial remedy.
If your business used to respond to data protection impact assessment under the old legislation, then you’ll know that you previously had 40 days to respond to such a request and that you could charge a reasonable administration fee for doing so.
It’s here where you’re going to notice the two biggest changes.
According to the Information Commissioner’s Office (ICO) which overseas GDPR compliance here in the UK, you now have to respond to requests as soon as possible, without undue delay and within one month.
Under GDPR, an individual can make a subject access request using any available method, including:
Verbally in person
Over the phone
In a written letter
Via your website
Via email
Via social media.
There is no formal way to make a request, so the individual doesn’t necessarily have to use the terms “subject access request,” “DSAR,” “Article 15,” or anything else, as long as it is clear that they are requesting their own personal data.
Furthermore, such requests can be made to anyone within your organisation. That means that if someone verbally asks one of your frontline staff in person, this request is just as valid as a formal letter, email, or completed form.
With more individuals becoming aware of their rights concerning the data you hold about them; your information security policy for small business can fully expect to see an increase in the number of requests made over the coming months.
Not that this has to have a significant impact on your day-to-day operation.
Experts in helping businesses of all sizes ensure frictionless compliance with all aspects of the GDPR, we provide specialist subject access request services designed to simplify and streamline your response services, leaving you with more time, energy and resources to focus on growing your business.