Podcast: Play in new window | Download
In this episode, we discuss:
- SARS, Subject Access Requests, GDPR Access Requests
- What they are and why they’re important to integrate early on in your GDPR program
- This is part of a series on SARS
Full Episode Transcript
Welcome to the GDPR Stand Up podcast, the only podcast dedicated to helping you succeed with GDPR compliance. Let’s get started.
Hey, there. Welcome. I’m Rocio Baeza, the host of the GDPR Stand Up podcast, and just want to welcome you to today’s episode. If you are a new listener, thank you for checking us out. We have a backlog of about 12 episodes so far, so if you just catching up with us now, feel free to go back and listen to any of the topics that might be of interest to you.
In today’s episode, we are going to be talking about SARs. What is a SAR? This is actually part of a series. We will have several episodes on SARs. In today’s episode, we are going to talk about what that is, the purpose behind a SAR, and who needs to worry about SARs. Also, why it’s actually one of the most important things that you should be addressing as part of your overall GDPR program. As the series develops, we’re also going to walk through how to handle a SAR. If you receive your first one or if you are working through SARs, you probably realize that there’s a process that you have to follow. We’ll talk about the responsibilities for properly handling a SAR, and I’ll also be sharing my favorite tool for helping you process a SAR.
All right, so let’s get today’s topic. We’re just going to start with definitions. Hopefully, this is not a weird acronym that you are first learning about. SAR stands for subject access request. There are other variations. You might have heard of it as a SAR, as SARs, or a GDPR SAR. This is related to the right of access. Now, under GDPR, individuals are afforded with eight different individual rights, and the right of access is one of those rights. It’s basically the event when someone reaches out to your company and asks, “Hey, I want to know what kind of data you hold about me.” If you want to take a deeper dive on this, I would point you to the regulation, and I would ask that you look at article 15. This covered in detail there.
Now, as a SAR. Again, this is a right where a person has the ability to reach out to an organization and understand, all right, what kind of personal data do you hold about me? I want to know that as a consumer. I want to know what personal information you have, you hold about me. This is addressing the spirit of transparency that the GDPR is looking to bring the space. It’s looking to help individuals, people like you and me, just to better understand what kind of data organizations hold about us, how that’s being used, and it serves as a starting point so that as consumers we can start to possibly start to exercise any of the other rights that are afforded under GDPR.
If you’re listening to this podcast, it probably means that you are with an organization that has responsibilities around GDPR, and you may be tasked with your GDPR compliance program, or you might be trying to learn a little bit more so that you can make some progress with the implementation or with the maintenance of the program. Ideally, this is something that organizations should have planned for and have a good program in place back in May of 2018. This is when the law took effect. But I realize that many organizations, for one reason or another, may not have had an opportunity to fully implement a program and you’re still playing catch up. With this show, my goal here is to provide you with just very practical information so that you can have success with GDPR compliance.
Now, going back to SARs. You might be asking yourselves why is this important? Why am I being asked for this information? Why should I be fulfilling these? I would say that this is a very important topic because it’s one of the rights. Under the law, this is a right that an individual has. Because this is a right that’s provided, you have a legal obligation to fulfill that. One of the reasons that it is important is because you want to make sure that you are fulfilling your legal obligations. The other reason why this is important is because it’s actually not too hard to figure out if you have this in order or not.
If I was someone in the public space, and if I wanted to understand, all right, Company A, do they have their GDPR house in order, there are some very quick checks that I can do that will help me uncover that. A great example is a privacy policy. I can go to any company’s privacy policy because these are usually posted on a website, or these are usually available on the brick and mortar. In the privacy policy, GDPR calls for specific pieces of information to be provided. Now, I, as a professional, it’s easy for me to compare to, or for me to review a privacy policy, and I can tell you exactly if this is something an organization has invested resources on because there are specific formats and there are specific pieces of information that a GDPR-ready organization will have made available in the privacy policy.
If your organization has not tackled this, it’s probably obvious in just reviewing your privacy policy, and it may also be obvious depending on what kind of intake process you have right now to be able to receive any subject access requests, any SARs. The reason that this should be important is because if you don’t have your GDPR house in order, if you don’t have these intake processes in place, that means that the consumer, the individual that is looking to exercise their rights, if they’re not able to receive the information that they’re asking for and receive the information that they’re legally obligated to receive from your organization, they have the right to then file a complaint to your supervisory authority. What that means is that places a big X, that places your organization on a radar, and regulators may start to ask questions. Because this is something that from the outside it’s fairly simple to know if you are fulfilling this obligation, that’s why it’s important that your organization invest in getting this right.
Okay, now let’s talk about what kinds of organizations should worry about SARs. Is this something that all organizations should worry about or only some? Let me talk about some of the factors there. If your organization is looking to comply with the GDPR, you need to worry about SARs. From a regulatory perspective, right, we just talked about that. If your organization holds data that is subject to the GDPR, then you need to comply with SARs. If you are not quite sure if GDPR applies to your organization or not, I advise you to work with your legal counsel so that they can provide you with better direction.
GDPR is a regulation. It brings with that a legal risk, and your legal counsel is the only one that is properly prepared to help you determine this. The rule of thumb that I like to give to my clients is if your organization holds information about people that are either from the EU or that are living in the EU, and by the EU I’m talking about the European Union. If your company holds information about people with a tie to the EU, it’s very likely that GDPR applies to you, even if you don’t have a physical presence in Europe, even if you don’t have market reach there. If this is a question that you haven’t quite answered, make sure that you work with your legal counsel to get clarity on that.
All right, so say you know that GDPR applies to your organization and you want to learn more about SARs. You should know that this applies to both the data controller and the data processor. Now, these are legal terms. Let me try to break that down. Whenever an organization has data about a person, it’s possible that the organization receive that directly from the individual, or it’s possible that the organization received that from a partner. In the first example, if your organization is B2C, business to consumer, then that means that you’re probably receiving personal data directly from the individual, and it’s very likely that you are the data controller in that case.
Now, it’s possible that you hold information about people, right? However, you may not be receiving this directly from the individual themselves. You may be receiving this information from a partner, from a data broker, and it doesn’t matter where this data is coming from. You will still have GDPR responsibilities, you have GDPR obligations, but it’s important to understand the correct classification for your organization because there are some nuances behind that.
All right, let me give you an example of what I mean by why it’s important to clarify if your organization is a data processor or if your organization is a data controller. As you’re fulfilling a SAR, there is a procedure that you will have to follow. You will have to receive that request, and then you would have internal processes in place to process the SAR. Now, it’s important to know if your organization is a data controller or a data processor because that procedure, that intake process, will look slightly different depending on whether your organization is a controller or your organization is the processor. Let’s give you an example.
Just at a very high level, when a person submits a request for a SAR, that’s going to have to be channeled through the data controller. Depending on your data flow, where your data is coming from, how you are receiving information about individuals, this workflow might be simple or it might be complex. A simple situation would be one where a person goes directly to you and submits a SAR request. If you are the data controller, the simplest workflow here is one where you’re able to process that request on your own completely, right?
Now, let’s talk about a more complex situation. Say that a SAR goes to a channel where there are multiple parties involved, so maybe Company A is sharing information with Company B, C, D, E, and F. Depending on where your organization fits in that structure, it’s possible that you may have to lead that process in fulfilling the SAR, or you may just be participating in the process. Depending on the data flow, so how it’s captured, who receives it, how it’s used internally, this may be a very clean cut request, or this may be one where you have to involve multiple parties and where you reach out to various individuals so that you can properly process that SAR.
All right, so just to close out the session for today, I hope that this helped you better understand what a SAR is, why it’s important to have a correct process in place. To tee up the conversation for next week, next week we are going to continue the discussion on SARs, and we are going to pivot to talk about what you should do when you receive a SAR. At a very high level, so you really need basically a process where you are acknowledging that you received that request, that you have an internal process in place to fulfill your obligations to provide the individual with the information that they’re requesting and that they are legally entitled to, and the importance of holding on to documentation as part of that process. We will walk through that process from start to finish. I would say that the middle of that process is probably the one that has the most nuances, so we will take a deeper dive there.
All right, thanks for checking us out. If you are a new listener, so you can catch our episodes on a weekly basis. They release on Sundays. We are available on iTunes. We are available on Stitcher and Google Play. We’re also making available transcripts of these episodes on our website at gdprstandup.com. Thank you very much for checking us out, and see you next time. Goodbye.
Thanks for listening to the GDPR Stand Up podcast. If you need additional help, please check us out at gdprstandup.com. Until next time.
HELPFUL LINKS AND RESOURCES
Photo Credit: “Viktor Talashuk” @ Unsplash