A Subject Access Request (SAR) is a written request from an individual, in relation to their access to information, which they are entitled to ask for under the Data Protection Act.

There has been some debate on what must be included in an SAR:

Recently in relation to the inclusion or exemption of confidential references. As previously, under the Data Protection Act 1998, employees had the right to access their personal information, including references from current or former employers, although employers did have the right to refuse disclose of this information to the employee. In this instance, an employee could overrule the employer’s decision by applying to the recipient employer regarding their reference, whereby the employer could not decline disclosure.

On some occasions, an EU subject may require a Subject Access Request (SAR) which involves a transaction outside of the EU. Therefore, data processors must be aware that a data controller outside of the EU will not necessarily give up any or many obligations to the General Data Protection Regulation (GDPR).

So, the question is whether data processors need to address the Subject Access Request without the controller or not?

Learn about the difference between structured data and unstructured data and how to best protect it in Data Protection 101, our series on the fundamentals of information security.

When organizations prepare to collect, analyze and secure data, they need to understand there two kinds of data: structured and unstructured data. Each presents different challenges — especially when it comes to data security. It is important to understand both concepts.

Structured data is usually stored in relational databases and displayed in defined columns and rows. This allows data mining tools and algorithms to access and analyze it via search.

Structured data can be used in:

A common scenario involves country-level sites managed by a central team with some in the EU, and some outside. 

The question is, will all the sites be in scope of GDPR as EU visitors may access any of the sites while visiting those countries?

Before Brexit is finalised, there is a lot of work to be done, with one of the most recent priorities being data transference between the UK and the EU. This is because both the Government and businesses have expressed their reservations regarding personal data traffic post-Brexit, especially in the event of a ‘no deal’ Brexit. 

In order to combat this issue, a new Data Law Committee has been implemented in order to discuss future legislation regarding Data Protection and Privacy law. The City of London Law Society announced the introduction of the Data Law Committee, with Jon Bartley, the chairman of the committee describing it as “pivotal moment” for Privacy law.

The Committee is in place in order to discuss all aspects of Data Privacy and Cybersecurity legislation. However, Jon Bartley, the Committee Chairman and Partner at the Corporate and Insurance law firm Reynolds Porter Chamberlain, announced that Brexit is “our first and most urgent area of interest.”.

A cloud service provider of apps and storage for businesses is a data processor. However, that does not mean it is not exempt from appointing a Data Protection Officer (DPO) if the data processed presents potential risks to the rights and freedoms of others, or large scale systematic processing.

Companies need to consider what technical measures they can take in an effort to adhere to the data subject's right to erasure, or 'right to be forgotten'.

Anonymisation ensures that the anonymised data is no longer identifiable to a person. Therefore, it is no longer considered personal data under GDPR. Where anonymisation has been done, and a subject access request (SAR) follows, you would be then able to explain that you no longer have personal data related to that subject on your database. That said, anonymised data is very hard to achieve perfectly and leaves some risk unless performed properly.

1. Manage expectations - GDPR ‘compliance’ is a matter of constant review, adoption of policies and adaption of processes. Plan, develop and sustain.

2. Continued awareness and training for staff.

3. Update your privacy policy, consent capture and recording.

Personal data is defined within Article 4 of the General Data Protection Regulation (GDPR) and means solitary or group data that can be used to identify an individual. The following are examples of personal data:

• Name
• Home address
• Driver’s license

• WHEN TO HIRE A DATA PROTECTION OFFICER

   

  

   Under the GDPR, you must appoint a data protection officer (DPO) if you:

  1) are a public authority (except for courts acting in their judicial capacity);
  2) carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or

  3) carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

• WHICH? UNCOVERS UNDERHANDED TACTICS OF POPULAR PHONE APPS

  

  The Consumer Rights Association Which? have devised a report after monitoring 29 popular apps utilised by both iPhone and Android users, in which they discovered the underhanded tactics of several app companies when obtaining personal data.

  Which? found that several of these companies uncovered borderline-lawful means in order to obtain unnecessary information from customers who were unaware, as they neither had the time nor were willing to read the overcomplicated and long data protection policies. After the consumer body found that:

  “Based on average reading it would take 22 hours, 21 minutes to read all the policies in one go.”

  The report also showed that despite the General Data Protection Regulation (GDPR) being implemented in May 2018, there were still organisations ignoring the fundamentals of the regulation:

• WITHDRAWING CONSENT AND RIGHT OF ERASURE

   

   

  

   

   

  In respect of the data subject enforcing their rights, it should first be noted that withdrawing consent, i.e. removing the controller's right to use your data, is not the same as the right of erasure. Consent is specific and unambiguous and is given for a particular activity.

   

  For example, many of us will use an online web form to download a document. If there is a check box to receive marketing material from the site, and we tick the box, we will receive the marketing materials. 

   

  If we later withdraw the marketing consent, will our information be erased as well?