Would you know how to deal with a subject access request?

Anyone can now request, in writing or verbally, their own personal data held by an organisation. It can be sent to anyone in your company, by any means and in any form. 

If you are an accountant who deals with any amounts of personal data on a daily basis, this ruling will apply to you.

Can you honestly say that if a subject access request (SAR) is sent to your company, would you know how to deal with it? Do you know the right procedure and the time limit that you have to respond to a SAR?

There are some very specific guidelines for businesses from the Information Commissioner’s Office (ICO) to help deal with requests from individuals for their personal data.

Personal data refers to all information that can directly or indirectly identify a living natural person. This could be their name, national insurance number, driver’s licence, passport number, addresses, email, and IP address. Anything that could identify or locate an individual could be included. can locate an individual – even telephone and credit card numbers.

What you are required to do

  • First, you must recognise the SAR. The person making the application does not need to mention GDPR or the Data Protection Act 2018 and it is still valid even if they mistakenly refer to the Freedom of information Act 2000.
  • Then identify the individual making the request. You must make sure of the identity of the person making the request. You could seek proof via a utility bill or photo ID if you do not know the person.
  • You have I month to respond from receipt of the SAR.
  • Identify the personal data that has been requested. In order to identify the personal data belonging to the requestor, reasonable efforts to search both electronic and hard copies of the data should be made.
  • Identify any possible reasons why this particular personal information should not be disclosed. For example, this could be where disclosure would prejudice defined public functions or communications are subject to legal professional privilege. You are also not required, and should not, disclose an individual’s personal data if this would adversely affect the rights of other individuals.
  • As well as a copy of their personal data, the data subject is also entitled to receive confirmation of whether you are processing their data and other supplementary information (including mandatory privacy information).
  • Make sure the personal data is handed over responsibly and securely. Particularly where personal data is being disclosed, it’s good practice to contact the individual first.
  • Keep a secure audit trail of the request. A comprehensive record of the review, sources of information and responses should be kept.

For further information see https://ico.org.uk/your-data-matters/your-right-of-access/

Responding to a SAR

Crucially, the recipient must respond to a SAR within 1 month, starting from the day of receipt. The “1 month” time limit is not a set number of days – the deadline to respond is the corresponding calendar day in the next month. For example, if you receive a SAR on 12 November, you must respond to it by 12 December.

Businesses that process data must consider and respond to these requests. It is also vital that businesses make it simple for individuals to make these requests.

Therefore, when a request is received, there must be an adequate framework within the organisation in place to collect all the necessary information on an individual and to send the information to the requestor in a safe and reasonable way. This must be done within the deadline.

Accountants must safeguard important files to ensure clients data is protected and be aware of any data breaches.

Firms who ignore the GDPR will not only risk huge fines but crucially, their reputations could be irrevocably damaged.

To determine whether operations comply with GDPR, firms may need to carry out an audit on current procedures in order to identify if and where they fall short of GDPR standards.

By failing to comply, accountants leave themselves open to significant penalties and reputational damage.

Rigorous protection must be put in place for the exchange of sensitive and confidential information with clients and emails alone do not offer enough protection.

Take a look at GDPR for Accountants on our website www.myicass.com which shows you how our solution can help you and your practice manage and maintain your compliance.

Leave a Reply

Your email address will not be published. Required fields are marked *