What Are Subject Access Requests and How Do You Comply with Them?
Well over 4 billion people use the internet today. That number seems to grow by the second which is music to most business’s ears.
Not only do the majority of major organizations offer their products and services online in an effort to boost sales through the growing digital population but online users also provide companies with a bevy of personal information that organizations to better market and do a handful of other lucrative things.
While businesses have spent years celebrating their digital relationship with consumers, politicians have not. As a matter of fact, in certain territories around the world, politicians have passed what are known as “Subject Access Request” laws.
If you’re a business owner that collects customer information, you need to be privy to what access requests are, your obligations under the law and how to fulfill them.
This quick post aims to fill you in on those fronts.
What is a Subject Access Request?
Consumers in certain jurisdictions have what is called “The Right to Access”. This right entails that they can put in a request, either written or verbally, with any business and that business needs to supply all information that they have relevant to the requesting party.
What Needs to Be Supplied to Comply?
Unfortunately for businesses, information that needs to be supplied as a result of an access request can be rather extensive. Your best bet is to talk to a lawyer that works with data privacy in your jurisdiction to fully understand the implications of receiving a request.
Below are some topical data points that you’ll almost certainly need to supply:
- Why you stored a person’s data
- How long it has been stored for
- Who the data was transmitted to
- What the data has been used for
- If your company has a profile on the requester and if so, what all of the information is within that profile
Again, those bullets are just jumping-off points. Legal counsel can help you to better comply with local requirements.
In What Time Frame do Requests Need to Be Serviced?
The vast majority of access requests need to be serviced within 30-days. There are some cases where access requests might be special or extensive. In these instances, businesses can take 90-days.
You are obligated to disclose to a requester in 30-days that you’ll be working off of an extended timeline and why if you opt in to the 3-month window.
Can You Refuse Requests?
In rare cases, you can refuse requests if they are outlandish or charge an administration fee for requests that are out of the scope of what’s considered normal.
Be aware though that refusal could prompt legal action.
How to Stay Organized Going Forward
Keeping your user data in order so it can be pulled up and handed out often comes down to how well your IT team is keeping things organized.
This IT best practices checklist should help get things on the right track if you’re not sure where to start.
Our Final Thoughts on Access Requests
Subject access requests are relatively new hoops that regulators have forced businesses to jump through. With the help of our guide above, we hope that you feel better about meeting your standards under these laws and we welcome you to browse more of our content if you find yourself needing additional information.