What the ICO says –
“You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.”
What does this mean for your organisation –
What is a Subject Access Request? Exactly! Not only do you need to plan how your organisation will handle SARs, but you will need to know how to identify one in the first place.
Picture the scene, you’re talking to a customer on the phone and they ask for everything that you hold on them. Do they mean everything relating to their account i.e. number of orders, type of product ordered? Or do they want to know what PII you are holding about the individual you are speaking with?
If it’s the latter then that is, plain and simple, a Subject Access Request, the former is more account management and doesn’t come in scope of GDPR.
A SAR may come in the shape of a formal email or letter or it could be something as simple as a phone call. Which ever way it arrives into your organisation you need to handle it just the same, professionally, securely, within 1 month and for free. The last two are noticeable changes to how a SAR is currently handled so your organisation needs to be ready for this.
It is expected SARS to become big business especially if lawyers can see it as a replacement for PPI. Ironically, they won’t be able to pester individuals the same as is the case with PPI claims.
So, you identify a SAR, primarily you will need to confirm the identity of the requester to ensure they are the individual named in the request. Is it a valid request and if not, you need to be able to prove it and refuse it without undue delay. Not surprisingly you will also need to have an audit trail regarding SARs.
The 12 Days of GDPR snippets are not designed as a guide to make your organisation GDPR compliant, they are just to whet your appetite to get you started. BMGUK Consultancy Ltd has one of the few certified EU GDPR Practitioners in the UK, so get in touch and I can assist your organisation to become GDPR compliant.
What is the GDPR? – It is the new evolution of data protection across the EU. On May 25th, 2018 the General Data Protection Regulation becomes enforceable so if your organisation processes personally identifiable information of any EU resident then you need to be prepared for the GDPR otherwise your organisation could face significant penalties.
From the largest multinational down to the smallest of sports clubs anywhere in the world, if your organisation offers goods or services, even free ones, to EU residents then it is highly likely that your organisation will be required to comply with the GDPR.
Whether your organisation is based in the UK or overseas, get in touch with BMGUK Consultancy Ltd for all your GDPR needs.