Categories
Law

GDPR and Subject Access Requests

gdpr and rights of access (sar)

The Data Protection Act 2018 (DPA) is a law that sets out rules and regulations regarding the use, storage, and sharing of personal data in the United Kingdom (UK).

The Data Protection Act 2018 was introduced to replace the Data Protection Act 1998, and it incorporates the General Data Protection Regulation (GDPR), which is a European Union (EU) regulation that governs data protection across the EU.

In this article, we explore the key features of the DPA and how it relates to GDPR, the role of the Data Protection Officer (DPO), how to make a Subject Access Report (SAR) and data protection complaint to an organisation.

Key Features of the Data Protection Act 2018

The Data Protection Act is a comprehensive piece of legislation that covers all aspects of data protection in the UK. Some of the key features of the DPA include:

  1. Data protection principles: The DPA sets out six data protection principles that organisations must follow when processing personal data. These principles include fairness, lawfulness, transparency, accuracy, storage limitation, and accountability.
  2. Lawful basis for processing: The DPA requires organisations to have a lawful basis for processing personal data. These include consent, contract, legal obligation, vital interests, public interest, and legitimate interests.
  3. Rights of data subjects: The DPA gives individuals the right to access their personal data, request the erasure of their data, and object to the processing of their data. It also gives individuals the right to data portability, which means they can request their data in a portable format.
  4. Data protection officers: The DPA requires certain organisations to appoint a data protection officer (DPO) to oversee their data protection activities.
  5. Data breaches: The DPA requires organisations to report certain types of data breaches to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.
  6. Enforcement: The DPA gives the ICO the power to issue fines of up to £17.5 million or 4% of an organization’s global turnover for serious breaches of data protection law.

How the Data Protection Act relates to the GDPR

The DPA incorporates the GDPR into UK law. This means that organisations in the UK must comply with both the DPA and the GDPR. Some of the key ways in which the DPA relates to the GDPR include:

  1. Data protection principles: The data protection principles in the DPA are based on the principles set out in the GDPR. This means that organisations must follow the same principles when processing personal data, regardless of whether they are subject to the DPA or the GDPR.
  2. Lawful basis for processing: The lawful bases for processing personal data in the DPA are based on the lawful bases set out in the GDPR. This means that organisations must have a lawful basis for processing personal data under both the DPA and the GDPR.
  3. Rights of data subjects: The rights of data subjects in the DPA are based on the rights set out in the GDPR. This means that individuals in the UK have the same rights to access their personal data, request the erasure of their data, and object to the processing of their data as individuals in the EU.
  4. Data protection officers: The requirements for appointing a data protection officer in the DPA are based on the requirements set out in the GDPR. This means that organisations in the UK must appoint a DPO if they meet the same criteria as organisations in the EU.
  5. Data breaches: The requirements for reporting data breaches in the DPA are based on the requirements set out in the GDPR. This means that organisations in the UK must report certain types of data breaches to the ICO within 72 hours of becoming aware of the breach, just as organisations in the EU must report certain types of data breaches to their supervisory authority.
  6. Enforcement: The enforcement provisions in the DPA are based on the enforcement provisions set out in the GDPR. This means that the ICO has the power to issue fines of up to £17.5 million or 4% of an organisation’s global turnover for serious breaches of data protection law, just as supervisory authorities in the EU have the power to issue fines under the GDPR.

The ICO Guide to the UK GDPR is part of their Guide to Data Protection and is a must read to fully understand Data Protection and GDPR. The ICO is the UK’s independent body set up to uphold information rights. 

Data Protection Officer (DPO)

The primary role of the Data Protection Officer (DPO) is to ensure that there organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.

  • The UK GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities.
  • DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO). 
  • The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
  • A DPO can be an existing employee or externally appointed.
  • In some cases several organisations can appoint a single DPO between them.
  • DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.
Data Protection Officers ICO

Rights of Access – Subject Access Request

One of the key rights that individuals have under the DPA and the GDPR is the right to access their personal data. This means that individuals can request a copy of the personal data that an organisation holds about them.

  • Individuals have the right to access and receive a copy of their personal data, and other supplementary information.
  • This is commonly referred to as a subject access request or ‘SAR’.
  • Individuals can make SARs verbally or in writing, including via social media.
  • A third party can also make a SAR on behalf of another person.
  • In most circumstances, you cannot charge a fee to deal with a request.
  • You should respond without delay and within one month of receipt of the request.
  • You may extend the time limit by a further two months if the request is complex or if you receive a number of requests from the individual.
  • You should perform a reasonable search for the requested information.
  • You should provide the information in an accessible, concise and intelligible format.
  • The information should be disclosed securely.
  • You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.
Rights of Access (SAR) ICO

How to make a Subject Access Report (SAR)

To make a Subject Access Request (SAR), individuals should follow these steps:

  1. Identify the organisation: The first step is to identify the organisation that holds your personal data. This could be your employer, your bank, your healthcare provider, or any other organisation that you have interacted with.
  2. Make a request: Once you have identified the organisation, you should make a subject access request. You can do this by writing to the organisation or filling in a subject access request form, if they have one.
  3. Provide identification: The organisation will need to verify your identity before they can provide you with a copy of your personal data. They may ask for a copy of your passport, driving license, or other form of identification.
  4. Wait for a response: The organisation has 30 days to respond to your subject access request. They may ask for more information or clarification if they need it.
  5. Receive your personal data: Once the organisation has verified your identity and processed your request, they will provide you with a copy of your personal data. This may be in electronic or paper form, depending on how the organisation stores your data.
  6. Review your personal data: Once you have received your personal data, you should review it to ensure that it is accurate and up-to-date. If you find any errors or inaccuracies, you can request that the organisation corrects them.

Make a data protection complaint to an organisation

You can complain to an organisation about how it is handling yours or other people’s information; if it:

  • has not properly responded to your request for your personal information;
  • is not keeping information secure;
  • holds inaccurate information about you;
  • has disclosed information about you;
  • is keeping information about you for longer than is necessary;
  • has collected information for one reason and is using it for something else; or
  • has not upheld any of your data protection rights.
How to make a data protection complaint to an organisation ICO

To make a complaint you must follow the steps below:

  1. Complain directly to the organisation involved
  2. Give the organisation one month to respond to your complaint or request.
  3. Ask the organisation involved for clarification if you don’t understand or you’re unhappy with their response.
  4. Complain to the ICO

If you have followed these steps or the organisation is refusing to respond to you, you can complain to the ICO.

Before you submit a complaint about an organisation you should read about what to expect from the ICO.

Conclusion

In conclusion, the Data Protection Act 2018 is a crucial piece of legislation that sets out the rules and regulations governing data protection in the UK. The DPA incorporates the GDPR into UK law, which means that organisations in the UK must comply with both the DPA and the GDPR.

One of the key rights that individuals have under the DPA and the GDPR is the right to access their personal data. To make a subject access request, individuals should follow the steps outlined above. By following the rules and regulations set out in the DPA and the GDPR, organisations can ensure that they protect the personal data of their customers, employees, and stakeholders.

We recommend you should always seek formal legal advice if required, from a qualified and reputable lawyer (solicitor or barrister).

We have a number of links to Free Legal Resources and Legal Organisations on our Free Legal Advice , Legal Aid and Pro Bono pages.

Read the reviews of Gavin Howe Barrister

“He is awful, underhanded and should not be practising law!”

Latest Articles

All articles can be found in our Sitemap

By Dom Watts

Dom Watts is the founder of the Ministry of Injustice. Dom works in IT and has no legal training and is not a lawyer. You can find Dom on X or Google.

In 2002 Dom Watts was an unlikely consumer champion. The dad of three from Croydon took on the power and might of Kodak – and won………

Dom on BBC Working Lunch

Dom Watts interviewed by Gerald Main BBC Radio Cambridgeshire

Dr Laurence Godfrey (Godfrey v Demon Internet Ltd [1999] EWHC QB 244) wrote: “I am very pleased to read that there appears to have been a remarkable U-turn."

Rule of Law - Open Justice - Policing By Consent

Access To Justice Is A Right Not A Privilege
Equal Justice Under Law