A subject access request (SAR) is the formal term for what happens when someone – in our case, a volunteer – asks for a copy of information you hold about them as part of their rights as a data subject under GDPR. They could ask verbally, in writing or even on social media. Then it’s on you to respond.
It is more important than ever to stay informed about proper data governance and ensure that you are complying with relevant GDPR legislation. If you are working for a charity or in a department in an organisation with data protection responsibilities you’ll need to know how subject access requests work.
It is vital for CIOs, DPOs, volunteer managers and other individuals in nonprofit teams to know how to navigate a SAR and have processes in place to manage them.
This blog is a guide to subject access requests and the GDPR legislation around them. Being prepared and planning ahead will help you respond and comply with any requests that come your way.
An introduction to subject access requests
Subject access gives individuals the right to get a copy of their personal data, as well as other supplementary information you store.
The General Data Protection Regulation (GDPR) gave “EU residents (and anyone who does business with EU organisations) a variety of new rights… One of those rights entitles people to learn what your organisation knows about them and how you use that information. This is called subject access. The California Consumer Privacy Act (CCPA) established similar rights.”(osano)
Immediately, organisations had to change the way they stored records and the way they interacted with employees, clients, customers, volunteers and donors.
For organisations who hold a large amount of data or lack a recordkeeping system, gathering the necessary data for a subject access request can be difficult. Everything must be done according to the law and in a way that people can see how and why you’re using their data.
Subject access requests are particularly important if you work in an organisation that keeps case records about people or discusses people in emails or other systems.
In these circumstances you’ll need to:
- plan for requests to come in;
- make sure you know how you’ll find all the information;
- ensure that what you hand over doesn’t contain information about any other people;
- know how to ask for time extensions;
- have a plan to make sure you provide the information securely.
Individuals can make a SAR verbally or in writing, including on social media. It must be clear in the request that the individual is asking for their own personal data. However, they don’t need to use a specific form of words, refer to legislation or direct the request to a specific contact.
Additionally, an individual may ask a third party such as a relative, friend or solicitor to make a SAR on their behalf. Before responding, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of their authority.(ICO)
How to prepare
There are several steps you can take to ensure you are prepared to deal with any subject access request that comes your way. The ICO has an extensive checklist and provides in-depth guidance.
Here are a few of the key measures to keep in mind:
- Have a policy for how to record requests you receive verbally.
- Know how to pause the time limit for responding if you want clarification.
- Know the steps you must take to verify the identity of the requester, if necessary.
- Understand when you can refuse a request and be aware of the information you need to provide to individuals when you do so.
- Understand the nature of the supplementary information you need to provide in response to a subject access request.
- Have suitable information management systems in place.
How to fulfil
Knowing how to prepare for a SAR is the first step. The next step is having your volunteer data stored in a system that you can use to easily process a request. This is where Assemble’s volunteer management software can help.
In order to fulfil a request:
- You need to have processes in place to ensure that you respond to a subject access request without undue delay and within one month of receipt.
- Understand how to perform a reasonable search for the information.
- Understand what you need to consider if a third party makes a request on behalf of an individual.
- Be aware of the circumstances in which you can extend the time limit to respond to a request.
- Understand what you must consider if a request includes information about others.
- Deliver the information securely to an individual, and in the correct format.(ICO)
How can Assemble’s software simplify this process?
Assemble’s volunteer management software ensures that dealing with a SAR is simple by making the process of collating information easy for the person fulfilling the request.
With compliance you need to know exactly what information you have. And you also need to know where and why you’re storing it. That’s where Assemble is useful.
A SAR export from Assemble contains all the users data, including potentially sensitive items. Access to complete a SAR request should be restricted to specific key trained staff and often routed through the organisation’s DPO or team.
Exported data is your responsibility!
Before releasing any information, ensure the person requesting the data has authority to do so and confirm their identity. Carefully review your exports to ensure it is:
- the expected data only,
- does not breach another users privacy and
- is reasonable to release.
Working with Assemble
Assemble’s features make the SAR process simple. The SAR export feature is located on the user details page on the top row under ‘Other’. A SAR will export all information held on the data subject in an excel file, including attachments where applicable as a single password protected zip.
Within Assemble, to further protect the data the link to the file will be emailed to the user who requested the SAR along with a password. The user will need to be logged in to Assemble to download the zip file which will only extract with the password supplied in the email.
Once the user has downloaded the file they should review the data included to ensure it fits the detail of the request. Then verify the data included does not breach another’s privacy and is in line with organisation policies on SARs.
Finally, you should ensure the data is sent in a secure way to the requester to protect their privacy and that the downloaded data is securely erased where appropriate.
At every stage of the process you’ll benefit from using Assemble’s volunteer management software because you will be able to access everything you need in a timely fashion, whilst knowing that it is secure.
Make light work of SAR
We know that modern volunteering requires sophisticated but simple data management, which is why our software empowers you to satisfy your requirements under GDPR. You can use Assemble to save time and ensure that you catch all the necessary details.
Whether you are managing a group of volunteers or work in data governance for a nonprofit or local authority, knowing more about how a SAR works will help you organise your data and processes accordingly.
If you’d like to find out more about this or discover Assemble’s other powerful features, why not take a product tour?