Looking to connect and grow your business? Download our free eBook

5 steps to make sure you’re ready to answer a subject access request (SAR)


The phrase subject access request (SAR) is already causing instant heart-sink for many in the business community. When GDPR comes into effect on the 25th May 2018, companies are likely to be hit by SARs from anyone wanting to know who holds their personal data and why. With the removal of the existing £10 fee for data requests abolished under the new legislation, it is highly likely that companies will be deluged by data requests with only a maximum of 30 days to return all personal data they hold on a client, in an accessible format. Faced with this challenge, will you be able to avoid the fines incurred for failing to provide this information? To help you get ready, we’ve put together this handy step by step guide to help you handle SAR requests.

Avoid or address data silos

Data silos are one of the biggest problems for data handlers in all industries. With massive amounts of data being managed and stored across multiple sites, keeping a track of it all can prove difficult. When it comes to SARs the one-month time limit to answer a request with all the requestee’s personal data. It isn’t difficult to see why having their information all in one place can save a lot of time and money. Using a cloud-based system can make accessing this information a lot easier, ensuring that all data relating to one client remains in one location.

Establish a SAR procedure now rather than later

Once GDPR comes into effect in 2018, there are likely to be many SAR requests all at once as people try to take advantage of unprepared companies (just as they did with PPI claims.) Therefore, it’s important for companies holding users’ personal data to establish SAR handling procedures ahead of time. Establish who in your company will be responsible for dealing with these requests and take the time to train those people on how to comply with the requirements of GDPR. By taking the initiative now and setting up a GDPR compliant SAR system, you can save yourself a lot of time and money as well as ensuring you’re prepared for any requests that come your way in 2018.

Ensure ALL your information is accessible

Remember when everything was recorded on paper? That information will also need to be provided should it contain personal data belonging to someone making a SAR request. How long do you think it would take to access these physical data sources, find that person’s specific data then transfer it into a universally accessible digital copy? Now think about trying to do this for 5, 10 or even 100 individual users. These are the considerations companies should be making ahead of time. Now is an appropriate time to go back to your older physical data and to transfer it to your digital databases. By having this data readily available, you avoid the risk of missing the one-month deadline and incurring the fines as a result.

Clue yourself up on what is meant by personal data under GDPR

Personal data is an ambiguous term in data management, if information belongs to a specific person, surely, it’s all personal data? Not so, as far as GDPR is concerned. (We recently wrote a helpful blog about this very point) Under GDPR, personal data is any data which can be used to identify an individual, that means names, addresses and contact information are all considered personal data under GDPR. So, if you’re responsible for this type of data, make sure you know where it’s kept and how it can be accessed. Likewise, if you don’t handle this data, don’t fall prey to opportunists looking to waste your time answering SARs for the information you don’t need to provide. Make sure you know the specifics of GDPR before it becomes law on the 25th of May 2018.

Keep your SAR procedure transparent

Once GDPR takes effect, it’s likely that many financial advisory companies will instruct people to make SAR requests with the companies handling their personal data in order to see if they can make some quick money if they fail to respond in time, again, harking back to PPI claims. They don’t cost the individual making the request anything, so it’s a no risk situation as far as they’re concerned. Companies with closed, or disorganised systems are likely to be the main targets for these people. So deter them by openly demonstrating that you have a procedure for SAR and that it works.

If you’re looking for more information on GDPR, or want to know how to improve other areas of your business practice to ensure they remain GDPR compliant, visit our website’s blog page where you can find our latest content on GDPR.

Get In Touch

If you wish to get in touch, please contact us using the details below.

City Dynamics . 131 Finsbury Pavement . London . EC2A 1NT