The ICO (Information Commissioner’s Office) has updated its guidance (August 2019) on the timescale for a Subject Access Request (SAR). But what is a SAR? And how long do you have to respond to one?
What is a Subject Access Request (SAR)?
Under the General Data Protection Regulation (GDPR), anyone can request a copy of the data an organisation holds on them. The request can contain any of the following:
- Why the data is being processed
- What type of data it is
- Who any recipients of the data are
- The length of time the data has been stored
- How the data was collected
- How the data is being safeguarded
Unlike the original legislation, which allowed for a £10 upper limit, it doesn't cost anything to lodge a SAR.
How long do you have to respond to one?
You must respond to a SAR within one calendar month*. And this includes the day you receive the request. For example, a request received on the 3rd of September requires a response by the 3rd October. If you'd like more detail, check out the full guidance here.
The limited timescale to respond demonstrates how important it is to ensure the data you collect is well-stored, easy to manage and secure. Without these safeguards, a SAR can quickly turn into a painful, time-consuming process. Worse still, it could lead to a GDPR fine (up to 4% of annual global turnover or €20 million, whichever is greater ).
To help demystify the process, we've put together a six-step approach to addressing a SAR.
*If the end date falls on a Saturday, Sunday or bank holiday, the calendar month ends on the next working day.
Are you looking to improve cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.