Want to watch this video? Sign up for the course here. Or enter your email below to watch one free video.

Unlock This Video Now for FREE

This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.

There have been a few changes to how to deal with a subject access request. The first change is that you now have one calendar month to respond to a request.  This does raise potential problems because of the different number of days in different months.  

For example if you receive a SARS request on the 30th March, your time starts ticking from the next day which would be the 31st of March. April has 30 days so your time would run out on the 30th of April. Unless it happened to fall on a bank holiday or a weekend in which case it would move on to the next working day, so that would be your deadline for responding. 

A lot of companies simplify things and make them much more straightforward, which is to have a policy of responding within 28 days, this way, you can be sure that you're always compliant.

Recognising a request has become much more of a challenge, in the past, people had to make a formal request by email and writing maybe to a particular department or a specific person. 

Now, a Subject Access Request can come in various different ways including

  • telephone 
  • email
  • mail
  • online
  • via social media 
  • face to face 
  • a request can be made to any member of staff

This means that it is important for all customer facing staff to know how to recognise a subject access request.So it's important for anyone with customer service, as in telephones, chats, social media accounts, people working on counters things like that.

The main thing is it doesn't have to go through to a specific department. You can create a form that you can put on your website or you can send to people, and say that if you want to make a Subject Access Request, fill in this form, but you can't insist that they do it, they can make it by any means that they want to do it.

You can no longer charge a fee unless the request is "manifestly unfounded or excessive."  to use the exact terminology.  A clear explanation of what this means isn't available, so everyone will have to use their own judgement. 

It may apply if they are asking for a high volume of information or if they have asked for the same information repeatedly.

In most cases, most businesses when they receive a SARS request from an individual, they will have to supply the information and a fee would not be appropriate, so they really can't charge one or request one. 

If an organisation wants to charge a fee, they would have to justify it to the individual and be ready to justify the charge to the ICO.