Hopefully your firm is well underway with your plans on how to become GDPR compliant by May 2018. There are a number of headline tasks that most organisations will be tackling, and will have dedicated time and thought to. However, there is often over looked areas of compliance which can still have a detrimental impact on an organisation if not considered in advance of the regulatory deadline.
A key aspect of GDPR, and one which is currently going under the radar, is that of Subject Access Requests (SARs). Many organisations will have a large amount of change needed to become compliant. So, when it comes to SARs, they may have considered the current number of requests they are receiving per year. This is likely to be an inconsequential figure for most firms, and therefore they have decided that SARs is a low priority and can be reviewed in the second phase of their GDPR programme; once the regulation is in force.
The large increase in fines is the primary cause of concern for most businesses, and individuals are forever quoting the 4% of global turnover or 20 million fine threat to their board members. However, have you considered that the amount of personal litigation that could be charged against you from the public could easily outweigh any of these numbers?
SARs are an organisation’s weak point and provides the evidence people need to build legal cases. In which case have you considered these key questions:
- How long does it take your organisation to respond to the average SAR?
- How many SARs do you currently receive each year?
- What would happen if the number of SARs were to increase?
- Would your organisation be able to handle the increase?
- Would you be able to respond in time?
- Do you have the resource capacity to handle an increase?
In the first phase of work we stress the importance of considering your approach to SARs. As a minimum, organisations should try to understand how likely it is they will be non-compliant come the 25th May 2018. This will include understanding how easily they are able to gather personal information held across their business. The biggest stumbling block for businesses here will be in relation to the amount of unstructured data they hold.
Next, it is important that there is clear accountability and responsibility for SARs. Organisations need to ensure that there is a clear entry point for SARs and, at the time a request has been made, that the organisation has a clear process on how they decide if the request is valid. If it transpires the request is valid, then firms need to ensure they have the correct processes and systems in place to gather the information requested.
Finally, we suggest firms map out the full end to end process of how the information would be gathered. This will help organisations:
- Share the workload if the volume of SARs were to increase
- Share knowledge across teams
- Respond to SARs within the one month deadline
- Ensure that, for each SAR, all necessary data is gathered
Nine Feet Tall would strongly suggest ensuring an approach to SARs is included in your plans for GDPR compliance. We are available to help you prepare for GDPR, or if you would like an expert to review your plans and provide advice on your approach. Please contact us today and see how we can make sure your GDPR approach is a success.