Why you need to be prepared for Subject Access Requests (SARs)

Google ‘Subject Access Requests’ and you will find a number of template letters designed for the consumer to send to an organisation.  Read them and you will see that they are scary stuff, perfectly designed to provide ‘ambulance chasing’ lawyers with a new opportunity when PPI claims come to an end.  Our task at The DPO Centre is to show you that they can be managed, and that a compliant business has no reason to fear them.

The starting point is to secure your own ground, make sure you are confident that you meet all the GDPR requirements and that you have embraced all the changes (and related opportunities) that are involved to be fully compliant.  If you have done that you have little to fear, even from an aggressive and disgruntled litigant.

A basic is to be certain of your own rights, for instance your “legitimate interest” in holding certain information.  The antagonist is likely to make all sorts of claims based on limited or ‘barrack room lawyer’ knowledge, and calm but polite rebuttals from a confident position will defuse many situations.

Tools to assist you with that might be the creation of a “Subject Access Portal” that lets them see for themselves, rather than you having to respond.  Similarly, you can make reference to an online privacy policy, or a series of FAQs.  In any event, perhaps the most important aspect of a response is speed.  Although there is a requirement to respond within 30 days, there is no merit in running up against this limit – and every advantage in going straight back with a well prepared, accurate and confident statement from a position of strength.

To do that you must have ensured that you have the capacity to respond and that the manner in which you do so has the same pre-planning as would be required for a breach notification.  Of course this is where The DPO Centre’s service comes into play, both in structuring matters in advance, and ensuring you have qualified cover for the reaction.  As well as the reply, you will want to be on top of any press or public relations response that might be called for, with an appropriate script and brief.  (They will use megaphone diplomacy, you have to be ready to react.)

As a final point, if a client has used litigation of any sort then you have probably lost them whatever you do, and indeed may not want them back.  In that case they are likely to be asking for rectification of any real or imagined wrong – probably combined with a demand for erasure and the right to be forgotten – and it is once again the responsibility of your DPO to ensure those demands can be complied with in a manner that does not disrupt your ongoing business. Let others get mired in lengthy reactions, negative PR and reputational damage; there is no reason for you to do so if you are suitably prepared.