The GDPR legislation requires your organisation to recognise individual’s rights to have a copy of their data (ie data about them).
Such a request for information is called a Subject Access Request (SAR) in the GDPR Legislation and this term may be one you have seen elsewhere.
Specifically, every individual may require you to provide:
- Confirmation that your organisation is processing their data
- The right to see what you hold of their data
There is no specific format required for an SAR – it can be verbal, or in writing, it can be on social media, or over the phone, it can be written on a blackboard, copied onto a photograph or sent in any way that can be justified as being expected to be understood.
This means that any and everyone in your organisation MUST be able to recognise such a request and ensure that it gets actioned (even if this means it is passed to someone else who is the responsible person in your organisation).
It is important that the organisation receiving the SAR shall check the identification of the person requesting it using “Reasonable Means".
The copy of the information must be provided at no cost. However, there are occasions where you can charge a fee.
The SAR response must be provided promptly and at least within one month of receiving the request. This can be extended by up to two months for complex or numerous requests but only if the individual has been contacted to this effect and provided with an explanation as to why the delay will take place.
The response may be hard copy if the there was a hard copy or a voiced request. If the request was electronic, the appropriate/equivalent electronic responses are appropriate.