Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Leadership Team

Meet the MetaCompliance Leadership Team

Careers

Join Us and Make Cybersecurity Personal

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

How to deal with Subject Access Requests

subject access request

about the author

Share this post

The General Data Protection Regulation (GDPR) came into effect on the 25th of May 2018 and completely overhauled how businesses process and handle data. Organisations have had to rapidly adapt to ensure they are compliant with the new legislation and not liable for the large fines which have dominated the headlines in recent months.

What many organisations hadn’t quite anticipated was the onslaught of individuals exercising their rights under the new legislation by submitting subject access requests. The GDPR has strengthened existing rights for individuals and empowered them to find out how their personal data is being used. 

A Subject Access Request (SAR) is the Right of Access allowing an individual to request what information an organisation holds about them, why it is holding this information and who is it shared with. Since the implementation of the GDPR, the ICO has noted an ‘unprecedented rise in demand’ in SARs. This, in turn, has placed an enormous strain on public services and organisations that are obliged to respond within a designated time frame.

The dramatic increase in SARs is thought to have been driven by an increase in data breaches and a general mistrust from the public in how organisations are using their data.

An important part of complying with the GDPR is understanding how to effectively deal with a SAR. Failure to meet the deadline or provide individuals with all the information they need could expose your organisation to regulatory action and large fines.

How to deal with Subject Access Requests

1. Recognise the subject access request

The GDPR does not lay out specific terms on how an individual can make a valid request for information, so it can be made verbally, in writing or even on social media. The request doesn’t even need to include the phrase ‘subject access request’, as long as the individual makes it clear that they are requesting their personal information. Organisations should ensure that specific staff are trained to identify a SAR and that the correct protocols are in place for logging requests.

2. Know your obligations

An individual is only entitled to their own personal data, and not to information relating to other people. Therefore, you must establish whether the information requested falls within the definition of personal data.

The EU defines ‘Personal Data’ as any information that can be used to directly or indirectly identify an individual (data subject). This can include everything from a name, email address, IP address and images. It also includes sensitive personal data such as biometric data or genetic data which could be processed to identify an individual.

Unless the individual has specified the exact information that they require, you will need to search for all available information that is relevant to the person. In addition to a copy of their personal data, you also have to provide individuals with the following information:

  • The purpose of your processing
  • The types of personal data concerned
  • Information about the source of the data
  • Who the data has been shared with
  • How long the data will be stored for
  • The existence of their right to request rectification, erasure or restriction or to object to such processing
  • Their right to lodge a complaint with the ICO or other supervisory authority
  • The existence of automated decision-making including profiling
  • The safeguards you provide if you transfer personal data to a country outside the EU or to an international organisation.

3. Verify the individual’s identity

Before responding to a SAR, you will need to make sure that the person requesting their personal data is who they say they are. To verify their identity, you can request a photographic ID or a utility bill. If the person making the request is an employee within your organisation, you won’t need any additional proof of identification.

A SAR can also be made through a third party, such as a solicitor or close family member. In these cases, you will need confirmation that the third party has been instructed to act on the individual’s behalf.

4. Respond within the designated time frame

How to deal with Subject Access Requests

Under the GDPR, organisations are required to respond ‘without undue delay’ and within one month of receiving the request. If the individual’s identity needs to be confirmed, the response deadline starts from when they provide the required information.

If the request is complex or you’ve received multiple requests from the same individual, the time to respond may be extended by a further two months. In this case, you must notify the individual why the extension is necessary.

5. Exemptions to Subject Access Requests

You should not disclose an individual’s personal data if it would adversely affect the rights of other individuals. The exceptions to this are when the other individual has given their consent to the disclosure, or whether it is reasonable to comply with the request without the consent of the individual.

The GDPR and the Data Protection Act 2018 also set out some exemptions that apply in certain circumstances. For example, where disclosure would prejudice defined regulatory functions or for communications that are subject to legal professional privilege.

6. Fees and excessive requests

Under the old law, organisations could charge up to £10 for carrying out a SAR, but the GDPR has since removed this barrier and the information must now be provided free of charge. However, the ICO has stated that If you receive a subject access request that is ‘manifestly unfounded or excessive’, you can charge a reasonable fee to deal with administrative costs.

7. Securely disclose the information

How to deal with Subject Access Requests

If an individual makes a request electronically, you should respond by providing the information in an electronic format, unless the individual specifies otherwise. The information should be disclosed as securely as possible.

8. Keep a record of the subject access request

You should keep a clear audit trail of the SAR in the event that a complaint is lodged to the ICO at a later date. This should include the information that was collated, the review process, key decisions made, whether exemptions were applied, the response provided, as well as correspondence made with the individual or third parties.

MetaPrivacy has been designed to provide the best practice approach to data privacy compliance. Contact us for further information on how we can help your organisation improve its compliance structure.

DISCLAIMER: The content and opinions within this blog are for information purposes only. They are not intended to constitute legal or other professional advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances, the Data Protection Act, or any other current or future legislation. MetaCompliance shall accept no responsibility for any errors, omissions or misleading statements, or for any loss which may arise from reliance on materials contained within this blog.

Other Articles on Cyber Security Awareness Training You Might Find Interesting