The EU General Data Protection Regulation (GDPR) and Data Protection Act 2018 have now been in force for nearly five months, and our veterinary clients are starting to feel the effects in practice. One of the most common queries we are fielding is “How do I deal with a subject access request (SAR) under the GDPR?”
How will this affect my practice?
Following the implementation of the GDPR, we have highlighted some key problem areas that our clients have asked for help with when dealing with SARs:
- Dealing with requests in a shorter timescale. The previous 40-day window has been shortened to one month.
- SARs will generally (but not always) be free and data subjects will be entitled to receive the information in an electronic format, or in a format requested by them. Previously, a practice could charge a £10 fee.
- Handling large numbers of indiscriminate SARs (blanket requests for “all data”).
The reality of implementation appears to have taken many practices by surprise. The greater the volume of personal data a practice holds, the harder it is to respond quickly and in a compliant manner. We recommend implementing a clear procedure for handling SARs and to provide data subjects with a tailored SAR form, to request details of the specific information they seek and reduce the number of indiscriminate SARs requesting all personal data held by the practice about that data subject.
Recognising a subject access request
The GDPR does not specify a specific format that qualifies as a valid SAR. A data subject can therefore make an SAR in a multitude of different ways, either verbally or in writing. An SAR can also be made to any member or part of your practice (including by social media) and does not have to be to a specific person or contact point. Again, having a clearly signposted and accessible SAR form will assist in streamlining the process.
Responding to a subject access request
Under the GDPR, you must provide the data subject with the information requested by an SAR within one month and with undue delay. You may be entitled to extend this period for particularly complex requests.
Where you are asking for further information, such as to verify the data subject’s identification or asking the data subject for further information on what they require, it is advisable that you set the information out clearly and provide dates in your letter to the data subject to provide proof of correspondence.
If you would like further advice on GDPR, please
contact Dan De Saulles at: email@example.com