Today we consider Subject Access Requests (SARs) under General Data Protection Regulation (GDPR). As always, I am joined in this exploration by Jonathan Armstrong, a partner in Cordery Compliance in London. SARs may turn out to be one of the most onerous, costly and time-consuming issues for companies after the go-live of GDPR on May 25, 2018. Of all the requirements of GDPR, this may be the single one which companies are least prepared for going into the new regime.

SARs currently exist for all countries in the European Union (EU), in most jurisdictions companies can currently charge a small fee for them. Although the fees are generally fairly trivial, it does put off many applicants. However, post-GDPR Armstrong believes that we are “going to see a significant increase in the number of subject access requests that people will make”. Moreover, SARs can be very difficult and time consuming to fulfill. He noted that some of Cordery’s clients estimate they spend between 100 and 300 hours per SAR. But it is not simply the detailed work needed to fulfill the SAR but a company must also redact out the data on other people.

Armstrong provided an example for a SAR for emails sent to an individual. A SAR might come in for emails being sent to Mr. Jones. While you might be able to do a word search for Mr. Jones and find all emails relating to him, it could be that 10 other people were copied in on emails to/from Mr. Jones. You are required to redact out the details of those 10 people.

Armstrong further refined the example by adding the factor that the email related to performance appraisal and a manager is communicating how their seven direct reports accomplished in that performance appraisals for the year. In responding to the SAR, a company must disclose the information on the one individual who has made the request but redact the information on the others. He words like “he or she” must be reviewed as they can provide personal identifiable information such as a person’s sex. There is also information such as cell phone details, which might be found on the footers of emails that would identify individuals. This information must be redacted.  

Obviously, this example is antithetical to the way in which US companies not only do business but the manner in which they try to avoid releasing any information to the public. However, Armstrong believes this is very important in the EU and will be going forward in the UK, post Brexit. He even pointed by to Max Schrems and the original litigation which brought down Safe Harbor. It could also be that EU and UK citizens might make SARs and then use the US corporate responses as the basis for class action type lawsuits. All of this mean US companies must not only take SARs seriously but have a protocol in place for handling them.

Once again, the key is to have policies and procedures in place to deal with SARs. He said it all begins with training so employees understand what a SAR might look like when it comes in because there is no one prescribed form. Also remember that a SAR can be made orally as well. From there you will need a process for escalating the SAR to the correct person or department. The person who will respond is critical not only for the reasons detailed above in appropriately responding to the SAR  but as Armstrong noted, “there needs to be a more highly trained person, who can diagnose whether that request is validly made and deal with it.” Such a trained and designated person should not pass up the opportunity to speak to the person making the SAR, as “sometimes there is a rumbling of discontent behind a SAR. It might be that you could  resolve the underlying issue, avoid the entire SAR” by handling whatever the issue is which led to the SAR in the first place.