0 £0.00
This item was added to your basket

Dear visitor,
You are viewing 1 of your 2 free articles

We’ve made wider, important changes to our print and online content to enhance the value of exclusive, insightful, discerning content we create every day. Support valuable editorial content by becoming a member of our Credit Club - register for free or choose a paid plan.

Register now or Login

Don’t get caught out by subject access requests

The right of individuals to access the information an organisation holds about them is an important safeguard and a cornerstone of data protection. Garreth Cameron, group manager (business and industry) at the ICO, explains more

Garreth   Cameron

Share on LinkedIn Share on Twitter
Garreth   Cameron
Share on LinkedIn Share on Twitter

Whatever business you’re in, if you hold personal data, you will probably have to respond to a request at some point.


Subject access requests happen to be the top cause of complaint to the ICO, accounting for 46 percent of cases we receive.


We know that when businesses fail to respond properly to a subject access request it can end up costing them time, money and reputational damage.


What concerns do individuals raise with us?


We often see cases where a subject access request is made following a dispute with a customer or employee that hasn’t been resolved, or has been badly managed.


If you can avoid a position where the requestor feels their only option is making a subject access request, you stand a good chance of not receiving a request in the first place.


The importance of good customer service and a pragmatic approach cannot be overstated.


A disgruntled requestor may be motivated to complain if you’ve clearly not met legal obligations. Failing to respond within the statutory 40-day time limit is a common problem.


We understand it can take time to get the information required together and review it.


On the records


Good records management is key to ensuring information can be easily identified and retrieved. Of course, you shouldn’t be retaining information you no longer have a justifiable need for anyway.


It goes without saying; you should be conducting an extensive search for the data, because failing to provide something the requestor knows you hold, is a sure fire way to a concern being raised with the ICO.


In some cases individuals’ requests are just plain ignored. While in a low number of cases it may be reasonable to inform a vexatious customer that you are ceasing contact with them, you’re still obliged to respond to their subject access request if they make one.


In other cases we see, organisations fail to identify receipt of a request. It’s important that frontline staff are trained on individuals’ rights individuals, and know how to respond when a request is received.


Extra care is needed to ensure information about third parties is not inappropriately disclosed.


We recently fined a GP surgery £40,000 after the practice revealed confidential details about a woman and her family to her estranged ex-partner, after he made a subject access request.


It’s about control


Giving people more control over their data is crucial to building consumer trust.


While individuals have legal rights under data protection, you should consider whether you want to force people to resort to the law to see what information you hold about them.


It’s a better experience for the customer to be in the driving seat, with the ability to access their data without going through a formal legal process. The growth of digital services helps to make this a reality.


Remember, individuals’ rights will be brought into focus across the European Union when the General Data Protection Regulation comes into force in May 2018. The regulation will require the data to be provided free of charge and, in certain cases, in a common electronic format.


No matter what happens in the UK post-Brexit, it’s time to ensure your house is in order when it comes to subject access.

Share on LinkedIn Share on Twitter
Add New Comment



The CS Interview

The patriot

The patriot


How much is a modern debt purchaser worth?

How much is a modern debt purchaser worth?


Here we go again: Credit Awards 2018
Share on LinkedInShare on Twitter

Here we go again: Credit Awards 2018

Credit 500 - 2018/2019

The new Credit 500 - an index of influence in commercial and consumer credit - has been unveiled
Share on LinkedInShare on Twitter

The new Credit 500 - an index of influence in commercial and consumer credit - has been unveiled

Credit Strategy
LinkedIn page

Did you find our website useful?

Thank you for your input

Thank you for your feedback

creditstrategy.co.uk – an online news and information service for the UK’s commercial and consumer credit industry. creditstrategy.co.uk is published by Shard Financial Media Limited, registered in England & Wales as 5481132, Axe & Bottle Court, 70 Newcomen St, London, SE1 1YT. All rights reserved. Credit Strategy is committed to diversity in the workplace.
@ Copyright Shard Media Group