Originally written by Anna Jordan on Small Business
It’s only one part of GDPR and data protection, but a subject access request (SAR) shouldn’t be ignored. As more people become aware of their personal rights, the number of requests continues to increase.
We show you how to deal with SARs, both as a small business owner and as an employer.
What is a subject access request?
An organisation will have a certain amount of personal data on users which they use and/or store. These people may ask for a copy of their data to check that what is being held on them is in keeping with the law.
Subject access requests existed as a right under the Data Protection Act 1998, but the rules have changed with the introduction of GDPR.
Requests can be made verbally, electronically (including social media) or in writing. If you have received it in writing, make sure you can verify the identity of the sender.
How long can I take with requests?
You have one month from when you receive the SAR. You can be given an extra two months if the request is complicated or there are numerous requests. You should let the person asking for the information know about this extension