A startup guide to subject access requests

Running a startup is tough. With limited resources, all you want to do is focus on growing your business. Problem is, whatever your sector, you’re going to be handling data and likely lots of it.

The General Data Protection Regulation (GDPR), which came into effect on May 25th 2018, came along with a bill of rights allowing individuals to exercise their rights and gain greater power over their data. If you’re gathering, storing, using or sharing personal data of EU citizens as a business then you have new responsibilities, regardless of where you are in the world.

A key responsibility is around people’s right of access, known as a subject access request (SAR). While you may not have received a subject access request yet, it’s pretty certain you’ll receive one in the future. They shouldn’t be ignored and failure to do so can result in complaints, action from the regulator and costly legal fees.

The good news is as a startup you can bake respect for rights into your business from the ground up. This step-by-step guide will show you how subject access requests work, the steps you must take to fulfil the request and tips on how to use smart tech to keep the focus on growing your startup.

What is a subject access request?

We’ve written before about what a subject access request is, but let’s take a quick dive into how they relate to your startup.

As a startup or small business, you will have a certain amount of personal data on your users or customers which you will use and store.

For example, you may collect email addresses from your customers in order to send them marketing newsletters.

A subject access request is a legal right that allows customers and ex-employees the right to ask for a copy of their data, understand how you are processing that data and who you are sharing it with.

This right, along with seven others, existed under the Data Protection Act 1998, but the rules have changed a fair bit with the introduction of GDPR. It’s a legal right and you must comply, failure to do so can lead to a fine from the regulator.

Requests can be made in any means. Individuals are able to do this verbally, electronically (including on social media) or in writing. Although it’s best to ensure that you move any requests made via social media to a more secure channel.

Remember, it doesn’t always need to have the words ‘subject access’ or refer to the Data Protection Act to constitute a subject access request.

Is it even a subject access request?

The first step you should take is to determine whether or not it is a subject access request.

For example, the customer may just want to know what third parties you share their data with. In which case your privacy policy should provide everything they need.

To do this, you should start a conversation with the person who has sent the request. Ask them what specifically they want to know and if they wish to exercise a subject access request. A member of your customer support team will do fine here.

Finding out what they want to know can sometimes move it away from a full-blown legal request, saving you time and resources.

Does the person even exist?

Once you’ve determined whether or not it is a subject access request, you should next verify whether or not that person is who they say they are.

You don’t want to send a load of data to a random person, or someone who may be trying to steal data from one of your customers.

So how do you go about verifying the person?

Get the person to provide some information to prove their identity, such as a unique customer or account number, a photo ID or a copy of their driving licence or passport. You may even ask them to send a photo of themselves holding their driving licence or passport in their hand. Depending on how cash-rich you are, you may use third parties that provide KYC (know your customer) checks.

Go careful at this step, if you still suspect foul play, contact the regulator to ask for advice.

When do I need to respond?

Generally, you have 30 days from when you receive the request. You can be given an extra two months if the request is complicated or there are numerous requests. Importantly you should let the person who sent the request know about this extension within one month.

What do I need to provide?

It depends on what the person has requested. But you should provide as much as you can, based on the request.

Much of this will depend entirely on your business and what systems you have. You may need to dig into your marketing or sales software.

This may include:

• Copies of statements or other documents held under their account
• Information you hold on them for marketing; email address; postal address; location; tracking history
• What you’re using their data for
• Who you are sharing it with
• Information on where their data comes from
• Information on their rights to challenge the accuracy of data, have it deleted or object to its use

Don’t send them gobbledigook!

You will need to provide the information in a commonly used format such as a pdf file or something similar.

Ensure that a layperson can understand it, so refrain from adding business jargon and acronyms. Keep it as simple and easy to read as you can.

Miscommunications can be avoided if your business has a subject access request policy in place. Include information like how you’ll confirm the enquirer’s identity, how you’ll gather their data, how you’ll issue your response and when you can refuse a request.

Can I refuse certain requests?

In certain circumstances, if the information someone is requesting could identify another person and it’s not reasonable to disclose that information to them, then you can refuse.

If the enquirer is being investigated for a crime, or for something connected with taxes, and the investigation would be compromised if you gave away that information, then you don’t have to fulfil the request.

You can also refuse a request if it is ‘manifestly unfounded or excessive’, depending on whether the request is repetitive by nature.

Again, staying ahead and having template responses to SARs will save you a lot of hassle. This template response letter from Halborns is helpful if you’re stuck.

Once you’ve sent that individual a copy of their data the request should have been fulfilled. You may want to follow up with an email or message to check they are happy. This ensures you don’t get a complaint made against your startup.

Can I charge a fee?

You should provide the data free under GDPR. The only situation where you can charge a ‘reasonable fee’ for administrative costs is if the request is unfounded or excessive.

Will it end there?

Unfortunately not. You may receive a follow-up complaint via social media or your support team if the individual isn’t satisfied with the outcome of the request. They may also say that they’re going to complain to the Information Commissioner’s Office (ICO) or even take it to an employment tribunal.

What if an employee, or ex-employee, files a subject access request?

Employees and ex-employees can file subject access requests for a number of reasons. Some might want to check that their data is accurate, while others may be concerned about how their personal information is being processed.

In some cases it may be part of an existing employment dispute with a current or ex-employee or because of unfair dismissal, whistle-blowing, discrimination cases or a pay review discussion.

Information they request can include:

• Contract of employment
• A note of sickness absences
• Their personnel file
• Emails or any form of messaging between [names] (including personal emails used for work purposes)
• CCTV footage of the themselves

Employers don’t have to fulfil requests if they contain confidential references, sensitive data which relates to management or financial forecasting.

In terms of process, the same applies here – a subject access request must be dealt with within one month of receipt. It can be extended to two months. But you must let the person know.

It’s worth speaking to your HR department (if you have one) about how long your retention policy for data is. There is no set limit under GDPR, but the ICO says data should be kept for no longer than is necessary.

Make sure you know where you keep the information on your staff and how to access the content that’s more difficult like email addresses and minutes from meetings.

This guest blog was written for Simpleweb by data privacy startup TapMyData.

Tap provides advice and an automated solution to handle subject access requests quickly, securely and at volume. It consists of a consumer app, secure web channel and auto-messaging which makes respect for data a part of your customer service and brand advantage. Contact Tap to learn more and request a demo.