If you're trying to work your way through a GDPR policy and get a handle on SARs, you're in the right place.
What Is A SAR?
A good place to start is to become familiar with some of the terms that frequently get thrown around:
- Data subject: a person whose information is being processed.
- SAR: a request from a data subject to receive a copy of their data or have it deleted.
- GDPR: the European Union data privacy law.
Now that we've clarified these terms, it's essential to know how to handle a SAR through your data subject access process flow to avoid steep fines and make sure your customer gets an appropriate response in a reasonable amount of time.
A SAR is a request made by a data subject (in this case your customer) where they are asking you for a copy of their data, to delete their data, request not to sell or another action like unsubscribing them from your email communications.
Read more in our guide to GDPR, where we discuss the law and its applicability for businesses and individuals.
The Six Steps To Responding To A SAR
A SAR lands in your inbox, and you need to act without tripping over any GDPR rules. Here's a step-by-step guide to getting it right.
1. Acknowledge The SAR
Step one is to recognize that you've received the SAR.
That might sound silly, but the GDPR doesn't define how customers should make a request. As it stands now, the request can be submitted any way an individual wants to, from a verbal conversation to a social media message.
If someone asks for their information, it's considered a SAR. And you need to pass it onto the appropriate person to handle the request.
2. Set A Time Limit
Businesses are allowed thirty days to respond to a SAR. You have the option to extend this time period for up to three months if the request is complex or you've received multiple requests from the same person.
To avoid potential legal problems, you'll need to let the individual know if you need more than a month to respond, no matter the situation.
3. Sort Out Fees For Huge Requests
There is only one situation where you're allowed to charge a fee for a SAR response—if you receive excessive requests.
Most companies don’t charge a fee to avoid creating issues with customers. But if you keep getting SARs that are unfounded or excessive, it's worth knowing that you have the option of asking for a fee (if it’s a reasonable amount). Just don’t assume upfront that you will be able to collect one.
4. Gather The Data
Next up, the time-consuming part—collecting the information.
If you've got a simple structure and can find everything without much complication, you're in good shape. But it often takes time to find anything and everything that could be defined as personal data.
It might be helpful to ask the data subject for more details about what information they need or want to know, but they aren't obliged to clarify their request.
5. Decide What To Withhold
This next step can be tricky. You might need to filter the information to determine what you are legally allowed to withhold.
For example, you cannot disclose other people's data except in a few very specific situations.
6. Send Your Response
Finally, send the response! It should include:
- The legal basis for your data-processing activities.
- Information on any third parties that received the data.
- How long you will store the data.
- The category of personal data you have on record.
- Information about where the personal data originated.
Even though it can be complicated, dealing with SARs is essential for GDPR compliance.
Contact Enzuzo, the trusted privacy experts, if you need help putting together your GDPR policy or working through SAR responses.