ShapeShapeauthorShapecrossShapeShapeShapeGrouphamburgerhomeGroupmagnifyShapeShapeShapeShape

How to prepare for subject access requests

Key steps in dealing with subject access requests from clients, which are increasingly seen by practices since implementation of the GDPR

28 November 2018, at 10:57am

The EU General Data Protection Regulation (GDPR) and Data Protection Act 2018 have now been in force for nearly five months, and our veterinary clients are starting to feel the effects in practice. One of the most common queries we are fielding is “How do I deal with a subject access request (SAR) under the GDPR?”

The right of access grants a data subject the right to obtain a copy of their personal data as well as other supplementary information. This is usually referred to as an SAR. SARs, alongside a GDPR compliant privacy policy, help data subjects to understand how and why their personal data is being processed, and allows them to check that it is being done in a lawful manner.

How will this affect my practice?

Following the implementation of the GDPR, we have highlighted some key problem areas that our clients have asked for help with when dealing with SARs:

  1. Dealing with requests in a shorter timescale. The previous 40-day window has been shortened to one month.
  2. SARs will generally (but not always) be free and data subjects will be entitled to receive the information in an electronic format, or in a format requested by them. Previously, a practice could charge a £10 fee.
  3. Handling large numbers of indiscriminate SARs (blanket requests for “all data”).

The reality of implementation appears to have taken many practices by surprise. The greater the volume of personal data a practice holds, the harder it is to respond quickly and in a compliant manner. We recommend implementing a clear procedure for handling SARs and to provide data subjects with a tailored SAR form, to request details of the specific information they seek and reduce the number of indiscriminate SARs requesting all personal data held by the practice about that data subject.

Recognising a subject access request

The GDPR does not specify a specific format that qualifies as a valid SAR. A data subject can therefore make an SAR in a multitude of different ways, either verbally or in writing. An SAR can also be made to any member or part of your practice (including by social media) and does not have to be to a specific person or contact point. Again, having a clearly signposted and accessible SAR form will assist in streamlining the process.

Responding to a subject access request

Under the GDPR, you must provide the data subject with the information requested by an SAR within one month and with undue delay. You may be entitled to extend this period for particularly complex requests.

Where you are asking for further information, such as to verify the data subject’s identification or asking the data subject for further information on what they require, it is advisable that you set the information out clearly and provide dates in your letter to the data subject to provide proof of correspondence.

If you would like further advice on GDPR, please
contact Dan De Saulles at: ddesaulles@hcrlaw.com

Dan De Saulles is part of the commercial team at Harrison Clark Rickerbys. He works with a wide range of clients, from global manufacturers to start-ups and specialist businesses such as vets’ practices. Dan provides sector specific information to help organisations navigate the GDPR.

Learn more