On 25 May 2018 the General Data Protection Regulation (GDPR) came into force, its mission being to ensure that people know about the data that firms are holding about them and how they are using it. The Information Commissioner's Office (ICO) of the United Kingdom has now issued some more advice about how to comply.

The GDPR has obliged firms - especially financial firms, which obey it more closely than most others - to update the privacy notices on their websites. The ICO has levied significant fines on British Airways and Marriot International. Meanwhile, businesses of all kinds have been coping with more subject access requests or SARs (in which people ask questions of the banks that hold information about them), particularly in London.

SARs are not a new phenomenon; they have been in existence since the Data Protection Act 1998 came into force. However, the advent of the GDPR has made the public more aware of data protection, as have the high-profile fines levied by the ICO. It has, moreover, shortened the time in which banks and other 'data controllers' can provide information and has made the consequences of non-compliance far harsher.
 
The GDPR reduced the time for responding to a SAR from 40 days to one month. However, in August this year the ICO announced that it had shortened the time that a firm had to respond to a SAR even further. The date of receipt is now ‘day one’ rather than the day after receipt, regardless of whether it is a working day or not. Any firm that receives a request on 30 August must therefore reply to it by 30 September.

This change, although a trifling one, affords us a useful moment to reflect on the things we have to do when we receive a SAR, especially as research by Parseq shows that 87% of firms that have witnessed an increase in requests have had trouble responding in time. It is, after all, a costly and complex process.

What is a SAR?

Both the Data Protection Act 1998 and the GDPR give people a right to know about and view the personal data that businesses hold about them. The idea is to give them a measure of control over that personal data and its use. A SAR is a request from someone who wants to know how much data a bank is holding on him, how it is using it and/or whether it is accurate.

How to recognise a SAR

There is no prescribed method by which someone can make a SAR. He might do so verbally, in writing or even on a social media channel. He need not utter the phrase ‘subject access request’ at all.

It is therefore essential for all staff at a bank or other financial institution to know what a SAR is and what to do if they believe that someone has made one. The firm only has one month from the day of receipt in which to respond, so 'escalation' to the correct person is essential at the earliest possible time.

It may be appropriate for the firm in question to have a standard form available on which anyone can make a SAR, but it cannot insist on anyone filling it in.

Fresh obligations to be found in the GDPR

• You cannot ignore a SAR. If you do, you face a fine.
• You can no longer insist on a SAR being made in writing.
• You can no longer charge a fee in most cases, although you might be able to charge an administrative fee if the request is manifestly unfounded or excessive or if the applicant makes a request and follows it up with another request for further copies. The ICO provides detailed information on these points.
• If someone makes a request electronically, you should provide the information in a commonly used electronic format.

What to do now?

In short, you must find the personal data and then provide it to the person who has asked to see it. The ICO considers it good practice to write to the 'data subject' (sometimes called the requestor) and tell him that you have understood his request. This will show that you take the request seriously as a SAR.

The ICO also recommends you to keep a record of all SARs that you have received, logging the times when you received them, the ways in which they came, the times when people told the Data Protection Officer about them and their response deadlines.

You must give the requestor his information in a concise, intelligible and easily accessible form. The average person ought to be capable of understanding it. You might, moreover, have to explain any financial acronyms and jargon to be found in the data.

Third-party data

Legal files often contain data about people other than the requestor. You therefore ought to take their rights into consideration when processing his request. You ought to consider the type of information that you are disclosing and any duty of confidentiality that you might owe to them. You must also find out whether any of the other people have given you permission to show him their personal data. You may need to consult a lawyer. Obviously, this puts further pressure on the timeframes involved.

Complaint files

[Editor's note: In a paper entitled Access to information held in complaint files, the ICO mentions the term 'complaint file' 47 times but does not define it once. It does, however, state categorially that such a file might contain: (i) a complainant’s personal data; (ii) "third-party personal data," which is the personal data of someone who is not the requestor; (iii) an inextricably-linked mixture of the two; and (iv) information that is not personal data at all. A person who asks for a complaint file "will often be the individual who made the complaint," but not always.]