GDPR sets out information which should be provided as part of responding to a subject access request. It seems organisations are not aware of these requirements. Lots of the SAR’s we’ve heard about have not been responded to in the right way. Does that mean that the organisation doesn’t care or is unaware of what they need to provide. Most of the time, its that they are unaware.
What are organisations doing?
There has been a huge increase in subject access requests over the last six months as people start to understand their rights and make requests for their information. One of our clients is a small credit union. Until February this year, they had not received a single subject access request. “It’s the only one we’ve had”, they told me. My reply was “It’s the first one you’ve received. More will follow” and they did. They receive at least one subject access request a month and they are only a small organisation. Luckily we put a process in place which is really easy to follow, set them up with sample documents and provided advice on what they needed to do. They follow the same process with each request. As a result of working with us, they are also providing everything in the correct way and meeting the requirements of the legislation.
Can you say the same? If not, give us a call and we’ll be very happy to help.