Any organisation that holds personal data has an obligation to provide subject access to the information they hold against that individual. Failure to do so can lead to consequences, demonstrating the need for organisations to comply. Recent news has been exposing companies whom have been incompliant with data protection regulations, resulting in companies being issued fines.
What are SARs?
Subject Access Request (SAR) simply enables individuals to find out whether any of their personal information is being processed, why they hold it, where it may be disclosed to and enables them to receive a copy of this information. This fundamental right for individuals is set by the General Data Protection Act (GDPR) 1998. The way which organisation’s respond to SARs can vary depending on the business’ nature but the principles and responsibility remains the same and the company has one month to respond to standard requests; if a company feels that the request is excessive then this can be extended to three months and a cost could be incurred by the requester.
It is important for all organisation’s to have full awareness of SAR and the consequences it can bring due to the detrimental impact it can have on a business. The ability to make these request easy for individuals and the ability to meet requests by the deadline are the key components to meet the necessary requirements.
How SAR is impacting businesses
Since GDPR came into effect in May 2018, approximately 60,000 data breach notifications have been reported over Europe. However, just 91 of these reports led to a fine being issued for various violations. For example, a company in Germany was fined €20,000 for failure to protect employee passwords and in Austria, a €4,800 fine was issued for unauthorised CCTV monitoring a public sidewalk, showing how far GDPR reaches.
The focus in recent news is Cambridge Analytica, a UK–based political, data analytic, advertising, and consulting firm. The parent company SCL Elections have been found incompliant with SAR resulting in a £15,000 fine because of the failure to respond to a US citizen’s request for copies of data, their reasoning was that they didn’t believe a US citizen had the right to make the request so they ignored it; following on from their data harvesting scandal with Facebook.
How Apogee can help
As awareness of public rights and their data usage are increasing, Apogee offer the service to support organisations specifically with their subject access requests, creating approaches to regain control and avoid any risks of not complying with the regulations.