GDPR means GDPR – Have you established your SAR plan?

EU GDPR will be adopted by the UK regardless of Brexit so action is needed now. For those businesses looking responsibly at how they will meet the requirements for this European regulation, Subject Access Requests (SAR’s) will doubtless form part of their considerations.

Under the new EU GDPR, organisations must respond to SARs “without undue delay and at the latest within one month”. This is a shorter time frame than under the existing DPA which states 40 days. Maybe even more demanding is that supplemental information must also be provided to requesters alongside their personal data. This includes, where feasible, details of “the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period”.

Further information is also required to explain the requesters’ rights to request the rectification or erasure of their data, to object to processing activities, along with their right to lodge complaints with data protection authorities. Organisations will need to identify where they have sourced requesters’ personal data from in instances where it has not been collected directly from the individual. Requesters will also have a right to be given details of the safeguards applied where their data is transferred outside of the European Economic Area.

According to The Information Commissioner’s Office (ICO) Annual Report for the financial year 2015/16*, 42% of concerns raised with them centred on SAR. This highlights the difficulties organisations already have complying with the existing, less onerous regulations. It indicates that organisations have some way to go in meeting the expectations of customers, staff, and the regulators!

The Plan

Under the ICO’s Preparing for the General Data Protection Regulation (GDPR) – 12 Steps to take now**, the 5th describes the need for procedures and a plan of how an organisation will handle SAR’s.

Given the new requirements, it’s important that staff are sufficiently trained to identify what constitutes a request and the process for handling it. Waiting days before the process is started and data is retrieved from systems will be risky given that fines are likely to be much stiffer under GDPR.

• Establish how you will manage your GDPR project with clear visibility of the all the work that needs completing to achieve and evidence compliance.
• Agree policies internally that describe your pragmatic procedures and processes.
• Identify who needs to be trained and how will you show that training has taken place.
• Undertake privacy impact screening and assessment.
• Identify and address informational, physical and legislative privacy risks.
• Establish a method of assigning SAR’s to trained individuals, along with deadlines and alerts, whilst retaining visibility and management reporting.

So, GDPR could pose a significant risk to organisations and a plan to address SAR’s and all other aspects of the requirements is needed:

• Ensure they have a clear work-flow to follow where they can keep track of their work.
• Give them the ability to quickly access version controlled template responses with standardised wording (providing the supplemental details that need to be disclosed alongside a requesters’ data)
• Equip staff with tools to easily and effectively task other team members to carry out their part of the process.
• Integrate your GDPR work into your wider ISMS or information security standards.
• Demonstrate effective governance to a regulator in case of an investigation.

Without a doubt, regulators will also be looking for a strong posture for demonstrating the security of personal data by controllers and processors. That’s why our software solution, ISMS.online, includes all the tools and frameworks for managing GDPR compliance and information security in line with the requirements of ISO 27001.

Information Commissioner’s Annual Report and Financial Statements 2015/16

Guide to the General Data Protection Regulation (GDPR)