If you are an online business or even a blogger in 2020, you must know how to handle GDPR Subject Access Requests.
In May 2018, a new General Data Protection Regulation came into force in the EU. However, this law also affects any business serving residents of the EU. Here, we’ll look at what a GDPR Subject Access Request is. More importantly, we’ll look at what steps you need to take if you receive one.
If you collect personally identifiable information from visitors to your website, your website users can submit a Subject Access Request (SAR) asking you to reveal what information you have collected and why.
In most cases, GDPR Subject Access Requests will take the form of emails. However, GDPR guidelines do not define how a Subject Access Request might be made.
It is also possible to receive a SAR request via social media. This being the case, you must regularly monitor all communications with your business, via mail, telephone, email, and any social media platforms you use.
Being able to identify a SAR request as soon as a request is made is vital in the era of GDPR.
As soon as you receive a Subject Access Request, you have 30-days to respond. If you fail to do so, you may risk hefty fines for non-compliance with GDPR. However, you also need to be able to verify the identity of a person submitting a SAR.
It is possible that someone might make a Subject Access Request, to trick you into disclosing information belonging to a third party. For this reason, you should refrain from satisfying requests until you have verified a SAR senders identity.
It is also possible to refuse GDPR Subject Access Requests, if doing so may result in disclosure of information belonging to a third-party without their express permission.
Every business and website is different. As a blogger, you might only collect website user information in the form of occasional subscriber email addresses. As an eCommerce business, though, you might gather everything from user email addresses to credit card billing information.
Sadly, in many cases, people sending Subject Access Requests are prone to making vague requests such as the following:
“Dear Sir or Madam
Please supply the personal data you hold about me, which I am entitled to receive under the EU General Data Protection Regulation.”
When SAR requests like this are vague, it is advisable to respond by asking senders to clarify what information they are looking for. Alternatively, when people do request specific information, it will be necessary for you to provide this with a clear justification of your reasons for having gathered this data.
Is your business GDPR compliant? If not, a SAR request you can’t satisfy could see you incur fines equivocal to 4% of your worldwide turnover. This being the case, don’t wait. Take the steps you need to take now to ensure your business is fully GDPR compliant.
If you are looking for assistance in keeping your business GDPR compliant, contact one of our friendly experts today.