SARs can be made by the data subject informally, in either written or verbal format and in a very basic way; there is no form or formal procedures for doing it. It is important, therefore, that organisations train staff to spot a request as it could be sent to any company email address, requested via any of the company phone numbers or even posted on one of your social media sites. The first step when addressing the issue of SARs then is to ensure all staff members know what they are and crucially what they need to do with them (usually this will be to refer to a designated person or department, rather than staff responding to them personally).
It is easy to immediately become defensive when receiving a SAR but under GDPR data subject can ultimately exercise this right without having to give a reason or making a payment for the provision. This is somewhat of a form from the previous arrangement through the Data Protection Act. As a company you have just one calendar month to respond to the request from the data of it being received. There is a possibility of an extension of 2 months but this has to be justified. SARs can potentially be very disruptive and time consuming, depending on the nature of the information requested. That the task might be onerous is not a get out clause though, in the main, mostly SARs will absolutely need to be complied with. There are exceptions, but these are best understood by reading the information on the regulators page of appropriate EU member state.
Before giving a data subject access to data it is of vital importance that you are sure the data subject is the person in question, and not a third-party fishing for information about someone. In the case of a third-party request, you must obtain evidence of their authority to request the information on the data subject, in the case of a solicitor or some other professional requesting information, for example. The data subject has the right to personal data about themselves but they are not entitled to have copies of complete documents, especially when the rights of others involved would not be protected. Depending on the volume of data held about a particular person there could be some cumbersome redacting of documents or extracting and explaining context to undertake. There is no real solution to this at the present time. It should however raise a very important issue to any companies or organisations that are holding vast swathes of data - that being WHY are you doing so? Receipt of an SAR could result in your business have to taking stock of data management within the whole organisation and looking seriously and urgently at current policies in place.
