So, you’ve prepared your Privacy Policy and popped it on your website. You’ve also carried out all
the other tasks to make yourself GDPR compliant e.g. your data audit, the appointment of a data
controller, the training of data processors, and getting positive opt in from those to whom you send
communications e.g. newsletters. You’ve got a warm feeling that all is now covered, and you take
mild pleasure in noticing how the likes of Uber, Talk Talk, and the Car Phone Warehouse have fallen
foul of Data Protection legislation. There’s no way it can happen to your business, and even if your
website host’s server is hacked, you have written indemnities in place which will ensure that your
business is financially immune.

There is, however, an Achilles heel. Under the GDPR (indeed under the Data Protection Act 1998)
(“DPA”) every data subject (that’s a person to you and me), has the right to ask to see what data you
hold about them. The DPA allowed businesses to charge a nominal sum for the provision of such
information. The GDPR has removed the right to charge. So, don’t even ask for money, or you will
have committed a reportable breach.

Also, remember that you only have 30 days to respond to the request, or, once again you will be in
breach and liable to be fined.

However, that’s ok isn’t it? Your data processors are fully trained. They know what data they can
release, and what they can’t. You have a robust procedure in place which involves final sign off from
your Data Controller, who has been properly appointed and trained. You take comfort from the
knowledge that people can’t just ask for anything. You are familiar with the Information
Commissioner’s Guidelines. https://ico.org.uk/for-the- public/personal-information/

But hang on. That guidance is out of date. It refers to charges, and a 40 day deadline. It also fails to
draw your attention to the fact that under the GDPR a data subject can request their information
electronically, so by email, or in theory even a tweet! Are your processors aware of this? You can
respond electronically but should keep a copy of the response. You already have in place a Register
of SARs don’t you? That’s ok, but you will need to delete all evidence of the SAR if the subject
(exercising their right under the GDPR) requests that all their data is deleted. Curious one that,
because how can you then prove that you responded to the SAR?

Does the person making the SAR have the legal right to do so? If they are not the Subject, by what
right are they requesting the information? Under a Lasting Power of Attorney (which you need to
see), or as a solicitor (in which case you must ensure that the client has given full and proper
authority).

There’s a lot to go wrong unless you have a robust procedure in place, and staff are properly trained.
On that note, don’t forget that your employees have full rights under the GDPR, and might make
SARs themselves.

Failure to deal with SARs properly is the most common breach of Data Protection law in the UK. The
fines levied can be painful. A GP’s practice revealed information which it shouldn’t and was fined
£40,000. A lot of money for a small business. https://ico.org.uk/action-weve-
taken/enforcement/regal-chambers- surgery/

For a check as to how compliant and resilient your GDPR procedures are, contact me here, or at
www.legalbusinesshelp.co.uk

© Hannen Beith April 2018